@default
    # System calls that are always permitted
    clock_getres
    clock_getres_time64
    clock_gettime
    clock_gettime64
    clock_nanosleep
    clock_nanosleep_time64
    execve
    exit
    exit_group
    futex
    futex_time64
    get_robust_list
    get_thread_area
    getegid
    getegid32
    geteuid
    geteuid32
    getgid
    getgid32
    getgroups
    getgroups32
    getpgid
    getpgrp
    getpid
    getppid
    getresgid
    getresgid32
    getresuid
    getresuid32
    getrlimit
    getsid
    gettid
    gettimeofday
    getuid
    getuid32
    membarrier
    nanosleep
    pause
    prlimit64
    restart_syscall
    rseq
    rt_sigreturn
    sched_yield
    set_robust_list
    set_thread_area
    set_tid_address
    set_tls
    sigreturn
    time
    ugetrlimit

@aio
    # Asynchronous IO
    io_cancel
    io_destroy
    io_getevents
    io_pgetevents
    io_pgetevents_time64
    io_setup
    io_submit
    io_uring_enter
    io_uring_register
    io_uring_setup

@basic-io
    # Basic IO
    _llseek
    close
    dup
    dup2
    dup3
    lseek
    pread64
    preadv
    preadv2
    pwrite64
    pwritev
    pwritev2
    read
    readv
    write
    writev

@chown
    # Change ownership of files and directories
    chown
    chown32
    fchown
    fchown32
    fchownat
    lchown
    lchown32

@clock
    # Change the system time
    adjtimex
    clock_adjtime
    clock_adjtime64
    clock_settime
    clock_settime64
    settimeofday
    stime

@cpu-emulation
    # System calls for CPU emulation functionality
    modify_ldt
    subpage_prot
    switch_endian
    vm86
    vm86old

@debug
    # Debugging, performance monitoring and tracing functionality
    lookup_dcookie
    perf_event_open
    pidfd_getfd
    ptrace
    rtas
    sys_debug_setcontext

@file-system
    # File system operations
    access
    chdir
    chmod
    close
    creat
    faccessat
    fallocate
    fchdir
    fchmod
    fchmodat
    fcntl
    fcntl64
    fgetxattr
    flistxattr
    fremovexattr
    fsetxattr
    fstat
    fstat64
    fstatat64
    fstatfs
    fstatfs64
    ftruncate
    ftruncate64
    futimesat
    getcwd
    getdents
    getdents64
    getxattr
    inotify_add_watch
    inotify_init
    inotify_init1
    inotify_rm_watch
    lgetxattr
    link
    linkat
    listxattr
    llistxattr
    lremovexattr
    lsetxattr
    lstat
    lstat64
    mkdir
    mkdirat
    mknod
    mknodat
    mmap
    mmap2
    munmap
    newfstatat
    oldfstat
    oldlstat
    oldstat
    open
    openat
    openat2
    readlink
    readlinkat
    removexattr
    rename
    renameat
    renameat2
    rmdir
    setxattr
    stat
    stat64
    statfs
    statfs64
    statx
    symlink
    symlinkat
    truncate
    truncate64
    unlink
    unlinkat
    utime
    utimensat
    utimensat_time64
    utimes

@io-event
    # Event loop system calls
    _newselect
    epoll_create
    epoll_create1
    epoll_ctl
    epoll_ctl_old
    epoll_pwait
    epoll_wait
    epoll_wait_old
    eventfd
    eventfd2
    poll
    ppoll
    ppoll_time64
    pselect6
    pselect6_time64
    select

@ipc
    # SysV IPC, POSIX Message Queues or other IPC
    ipc
    memfd_create
    mq_getsetattr
    mq_notify
    mq_open
    mq_timedreceive
    mq_timedreceive_time64
    mq_timedsend
    mq_timedsend_time64
    mq_unlink
    msgctl
    msgget
    msgrcv
    msgsnd
    pipe
    pipe2
    process_vm_readv
    process_vm_writev
    semctl
    semget
    semop
    semtimedop
    semtimedop_time64
    shmat
    shmctl
    shmdt
    shmget

@keyring
    # Kernel keyring access
    add_key
    keyctl
    request_key

@memlock
    # Memory locking control
    mlock
    mlock2
    mlockall
    munlock
    munlockall

@module
    # Loading and unloading of kernel modules
    delete_module
    finit_module
    init_module

@mount
    # Mounting and unmounting of file systems
    chroot
    fsconfig
    fsmount
    fsopen
    fspick
    mount
    move_mount
    open_tree
    pivot_root
    umount
    umount2

@network-io
    # Network or Unix socket IO, should not be needed if not network facing
    accept
    accept4
    bind
    connect
    getpeername
    getsockname
    getsockopt
    listen
    recv
    recvfrom
    recvmmsg
    recvmmsg_time64
    recvmsg
    send
    sendmmsg
    sendmsg
    sendto
    setsockopt
    shutdown
    socket
    socketcall
    socketpair

@obsolete
    # Unusual, obsolete or unimplemented system calls
    _sysctl
    afs_syscall
    bdflush
    break
    create_module
    ftime
    get_kernel_syms
    getpmsg
    gtty
    idle
    lock
    mpx
    prof
    profil
    putpmsg
    query_module
    security
    sgetmask
    ssetmask
    stty
    sysfs
    tuxcall
    ulimit
    uselib
    ustat
    vserver

@pkey
    # System calls used for memory protection keys
    pkey_alloc
    pkey_free
    pkey_mprotect

@privileged
    # All system calls which need super-user capabilities
    @chown
    @clock
    @module
    @raw-io
    @reboot
    @swap
    _sysctl
    acct
    bpf
    capset
    chroot
    fanotify_init
    fanotify_mark
    nfsservctl
    open_by_handle_at
    pivot_root
    quotactl
    setdomainname
    setfsuid
    setfsuid32
    setgroups
    setgroups32
    sethostname
    setresuid
    setresuid32
    setreuid
    setreuid32
    setuid
    setuid32
    vhangup

@process
    # Process control, execution, namespaceing operations
    arch_prctl
    capget
    clone
    clone3
    execveat
    fork
    getrusage
    kill
    pidfd_open
    pidfd_send_signal
    prctl
    rt_sigqueueinfo
    rt_tgsigqueueinfo
    setns
    swapcontext
    tgkill
    times
    tkill
    unshare
    vfork
    wait4
    waitid
    waitpid

@raw-io
    # Raw I/O port access
    ioperm
    iopl
    pciconfig_iobase
    pciconfig_read
    pciconfig_write

@reboot
    # Reboot and reboot preparation/kexec
    kexec_file_load
    kexec_load
    reboot

@resources
    # Alter resource settings
    ioprio_set
    mbind
    migrate_pages
    move_pages
    nice
    sched_setaffinity
    sched_setattr
    sched_setparam
    sched_setscheduler
    set_mempolicy
    setpriority
    setrlimit

@setuid
    # Operations for changing user/group credentials
    setgid
    setgid32
    setgroups
    setgroups32
    setregid
    setregid32
    setresgid
    setresgid32
    setresuid
    setresuid32
    setreuid
    setreuid32
    setuid
    setuid32

@signal
    # Process signal handling
    rt_sigaction
    rt_sigpending
    rt_sigprocmask
    rt_sigsuspend
    rt_sigtimedwait
    rt_sigtimedwait_time64
    sigaction
    sigaltstack
    signal
    signalfd
    signalfd4
    sigpending
    sigprocmask
    sigsuspend

@swap
    # Enable/disable swap devices
    swapoff
    swapon

@sync
    # Synchronize files and memory to storage
    fdatasync
    fsync
    msync
    sync
    sync_file_range
    sync_file_range2
    syncfs

@system-service
    # General system service operations
    @aio
    @basic-io
    @chown
    @default
    @file-system
    @io-event
    @ipc
    @keyring
    @memlock
    @network-io
    @process
    @resources
    @setuid
    @signal
    @sync
    @timer
    brk
    capget
    capset
    copy_file_range
    fadvise64
    fadvise64_64
    flock
    get_mempolicy
    getcpu
    getpriority
    getrandom
    ioctl
    ioprio_get
    kcmp
    madvise
    mprotect
    mremap
    name_to_handle_at
    oldolduname
    olduname
    personality
    readahead
    readdir
    remap_file_pages
    sched_get_priority_max
    sched_get_priority_min
    sched_getaffinity
    sched_getattr
    sched_getparam
    sched_getscheduler
    sched_rr_get_interval
    sched_rr_get_interval_time64
    sched_yield
    sendfile
    sendfile64
    setfsgid
    setfsgid32
    setfsuid
    setfsuid32
    setpgid
    setsid
    splice
    sysinfo
    tee
    umask
    uname
    userfaultfd
    vmsplice

@timer
    # Schedule operations by time
    alarm
    getitimer
    setitimer
    timer_create
    timer_delete
    timer_getoverrun
    timer_gettime
    timer_gettime64
    timer_settime
    timer_settime64
    timerfd_create
    timerfd_gettime
    timerfd_gettime64
    timerfd_settime
    timerfd_settime64
    times

# Unlisted System Calls (supported by the local kernel, but not included in any of the groups listed above):
#   mincore
#   seccomp
#   syslog