#define TCGETS 0x5401 #define PROT_NONE 0x0 #define PROT_READ 0x1 #define PROT_WRITE 0x2 #define PROT_EXEC 0x4 #define O_RDONLY 0x00000000 #define O_WRONLY 0x00000001 #define O_RDWR 0x00000002 #define O_CREAT 0x00000100 #define O_EXCL 0x00000200 #define O_NOCTTY 0x00000400 #define O_NONBLOCK 0x00004000 #define O_DIRECTORY 0x00200000 #define O_CLOEXEC 0x02000000 #define OPEN_MASK 0xFDDFBBFF #define SAFE_WRONLY 0x00000301 #define SAFE_RDRW 0x00'00302 #define SIGHUP 1 #define SIGINT 2 #define SIGQUIT 3 #define SIGILL 4 #define SIGTRAP 5 #define SIGABRT 6 #define SIGIOT 6 #define SIGBUS 7 #define SIGFPE 8 #define SIGKILL 9 #define SIGUSR1 10 #define SIGSEGV 11 #define SIGUSR2 12 #define SIGPIPE 13 #define SIGALRM 14 #define SIGTERM 15 #define SIGSTKFLT 16 #define SIGCHLD 17 #define SIGCONT 18 #define SIGSTOP 19 #define SIGTSTP 20 #define SIGTTIN 21 #define SIGTTOU 22 #define SIGURG 23 #define SIGXCPU 24 #define SIGXFSZ 25 #define SIGVTALRM 26 #define SIGPROF 27 #define SIGWINCH 28 #define SIGIO 29 #define SIGPOLL 29 POLICY AllowAllocations { ALLOW { brk, mmap, mprotect, munmap } } POLICY AllowBasicFsCalls { ALLOW { access, close { fd > 2 }, getcwd, getdents, ioctl { fd <= 2 }, lseek, newlstat, newfstat, newstat, open { (flags == O_RDONLY) || (flags & OPEN_MASK == O_RDONLY) || (flags & OPEN_MASK == SAFE_WRONLY) || (flags & OPEN_MASK == SAFE_RDRW) }, read, readlink, write { fd > 2 } } } POLICY AllowBasicIO { ALLOW { ioctl { cmd == TCGETS }, read { fd == 0 }, readv { fd == 0 }, write { fd == 1 || fd == 2 }, writev { fd == 1 || fd == 2 } } } POLICY AllowIPC { ALLOW { pipe, pipe2  } } POLICY AllowMisc { ALLOW { arch_prctl, exit_group, futex, getrlimit, set_robust_list, set_tid_address, sysinfo } } POLICY AllowSignals { ALLOW { rt_sigaction, rt_sigprocmask } } POLICY Main { ALLOW { execve }, USE AllowAllocations, USE AllowBasicFsCalls, USE AllowBasicIO, USE AllowMisc, USE AllowSignals } USE Main DEFAULT KILL