doc/examples/seccomp-v2.conf

   1 2
   2 whitelist trap
   3 # 'whitelist' would normally mean kill a task doing any syscall which is not
   4 # whitelisted below.  By appending 'trap' to the line, we will cause a SIGSYS
   5 # to be sent to the task instead.  'errno 0' would  mean don't allow the system
   6 # call but immediately return 0.  'errno 22' would mean return EINVAL immediately.
   7 [x86_64]
   8 open
   9 close
  10 read
  11 write
  12 mount
  13 umount2
  14 # Since we are listing system calls by name, we can also ask to have them resolved
  15 # for another arch, i.e. for 32/64-bit versions.
  16 [x86]
  17 open
  18 close
  19 read
  20 write
  21 mount
  22 umount2
  23 # Do note that this policy does not whitelist enough system calls to allow a
  24 # system container to boot.