diff --git a/README.md b/README.md index b9b2fca..ff76ba8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -# qssb.h (quite simple sandbox) -`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end. +# exile.h +`exile.h` is a simple header-only library that provides an interface to isolate processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end. ## Status No release yet, expiremental, API is unstable, builds will break on updates of this library. @@ -48,8 +48,8 @@ the library may check against that. Execute Contributions are very welcome. Options: -1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h) -2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from. +1. Pull-Request on [github](https://github.com/quitesimpleorg/exile.h) +2. Mail to `exile at quitesimple.org` with instructions on where to pull the changes from. 3. Mailing a classic patch/diff to the same address. diff --git a/exile.h b/exile.h index 2f7c0cc..9bc511d 100644 --- a/exile.h +++ b/exile.h @@ -14,8 +14,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef QSSB_H -#define QSSB_H +#ifndef EXILE_H +#define EXILE_H #ifndef _GNU_SOURCE #define _GNU_SOURCE @@ -55,7 +55,7 @@ #if HAVE_LANDLOCK == 1 #include #if LANDLOCK_CREATE_RULESET_VERSION != (1U << 0) - #error "This landlock ABI version is not supported by qssb (yet)" + #error "This landlock ABI version is not supported by exile.h (yet)" #endif #endif @@ -63,48 +63,48 @@ #if defined(__x86_64__) #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 #else -#error Seccomp support has not been tested for qssb.h for this platform yet +#error Seccomp support has not been tested for exile.h for this platform yet #endif #define SYSCALL(nr, jt) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (nr), 0, 1), jt -#define QSSB_UNSHARE_NETWORK 1<<1 -#define QSSB_UNSHARE_USER 1<<2 -#define QSSB_UNSHARE_MOUNT 1<<3 +#define EXILE_UNSHARE_NETWORK 1<<1 +#define EXILE_UNSHARE_USER 1<<2 +#define EXILE_UNSHARE_MOUNT 1<<3 -#ifndef QSSB_LOG_ERROR -#define QSSB_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__) +#ifndef EXILE_LOG_ERROR +#define EXILE_LOG_ERROR(...) fprintf(stderr, __VA_ARGS__) #endif -#ifndef QSSB_TEMP_DIR -#define QSSB_TEMP_DIR "/tmp" +#ifndef EXILE_TEMP_DIR +#define EXILE_TEMP_DIR "/tmp" #endif -#define QSSB_SYS(x) __NR_##x +#define EXILE_SYS(x) __NR_##x -#define QSSB_FS_ALLOW_READ 1<<0 -#define QSSB_FS_ALLOW_WRITE (1<<1) -#define QSSB_FS_ALLOW_EXEC 1<<2 -#define QSSB_FS_ALLOW_DEV 1<<3 -#define QSSB_FS_ALLOW_SETUID 1<<4 +#define EXILE_FS_ALLOW_READ 1<<0 +#define EXILE_FS_ALLOW_WRITE (1<<1) +#define EXILE_FS_ALLOW_EXEC 1<<2 +#define EXILE_FS_ALLOW_DEV 1<<3 +#define EXILE_FS_ALLOW_SETUID 1<<4 //don't mount recursive -#define QSSB_MOUNT_NOT_REC 1<<5 +#define EXILE_MOUNT_NOT_REC 1<<5 #if HAVE_LANDLOCK == 1 -#define QSSB_FS_ALLOW_REMOVE_DIR (1 << 7) -#define QSSB_FS_ALLOW_REMOVE_FILE (1 << 8) -#define QSSB_FS_ALLOW_MAKE_CHAR (1 << 9) -#define QSSB_FS_ALLOW_MAKE_DIR (1 << 10) -#define QSSB_FS_ALLOW_MAKE_REG (1 << 11) -#define QSSB_FS_ALLOW_MAKE_SOCK (1 << 12) -#define QSSB_FS_ALLOW_MAKE_FIFO (1 << 13) -#define QSSB_FS_ALLOW_MAKE_BLOCK (1 << 14) -#define QSSB_FS_ALLOW_MAKE_SYM (1 << 15) -#define QSSB_FS_ALLOW_WRITE_FILE (1 << 16) -#define QSSB_FS_ALLOW_READ_DIR (1 << 17) -#define QSSB_FS_ALLOW_REMOVE (1 << 18) +#define EXILE_FS_ALLOW_REMOVE_DIR (1 << 7) +#define EXILE_FS_ALLOW_REMOVE_FILE (1 << 8) +#define EXILE_FS_ALLOW_MAKE_CHAR (1 << 9) +#define EXILE_FS_ALLOW_MAKE_DIR (1 << 10) +#define EXILE_FS_ALLOW_MAKE_REG (1 << 11) +#define EXILE_FS_ALLOW_MAKE_SOCK (1 << 12) +#define EXILE_FS_ALLOW_MAKE_FIFO (1 << 13) +#define EXILE_FS_ALLOW_MAKE_BLOCK (1 << 14) +#define EXILE_FS_ALLOW_MAKE_SYM (1 << 15) +#define EXILE_FS_ALLOW_WRITE_FILE (1 << 16) +#define EXILE_FS_ALLOW_READ_DIR (1 << 17) +#define EXILE_FS_ALLOW_REMOVE (1 << 18) #ifndef landlock_create_ruleset static inline int landlock_create_ruleset( @@ -230,67 +230,67 @@ static inline int landlock_restrict_self(const int ruleset_fd, #endif #endif -#define QSSB_SYSCGROUP_CHROOT ((uint64_t)1<<0) -#define QSSB_SYSCGROUP_CLOCK ((uint64_t)1<<1) -#define QSSB_SYSCGROUP_CLONE ((uint64_t)1<<2) -#define QSSB_SYSCGROUP_DEFAULT_ALLOW ((uint64_t)1<<3) -#define QSSB_SYSCGROUP_DEV ((uint64_t)1<<4) -#define QSSB_SYSCGROUP_EXEC ((uint64_t)1<<5) -#define QSSB_SYSCGROUP_EXIT ((uint64_t)1<<6) -#define QSSB_SYSCGROUP_FANOTIFY ((uint64_t)1<<7) -#define QSSB_SYSCGROUP_FD ((uint64_t)1<<8) -#define QSSB_SYSCGROUP_FS ((uint64_t)1<<9) -#define QSSB_SYSCGROUP_FUTEX ((uint64_t)1<<10) -#define QSSB_SYSCGROUP_HOST ((uint64_t)1<<11) -#define QSSB_SYSCGROUP_ID ((uint64_t)1<<12) -#define QSSB_SYSCGROUP_INOTIFY ((uint64_t)1<<13) -#define QSSB_SYSCGROUP_IO ((uint64_t)1<<14) -#define QSSB_SYSCGROUP_IOCTL ((uint64_t)1<<15) -#define QSSB_SYSCGROUP_IOPL ((uint64_t)1<<16) -#define QSSB_SYSCGROUP_IOURING ((uint64_t)1<<17) -#define QSSB_SYSCGROUP_IPC ((uint64_t)1<<18) -#define QSSB_SYSCGROUP_KEXEC ((uint64_t)1<<19) -#define QSSB_SYSCGROUP_KEYS ((uint64_t)1<<20) -#define QSSB_SYSCGROUP_KILL ((uint64_t)1<<21) -#define QSSB_SYSCGROUP_KMOD ((uint64_t)1<<22) -#define QSSB_SYSCGROUP_LANDLOCK ((uint64_t)1<<23) -#define QSSB_SYSCGROUP_LIB ((uint64_t)1<<24) -#define QSSB_SYSCGROUP_MEMORY ((uint64_t)1<<25) -#define QSSB_SYSCGROUP_MOUNT ((uint64_t)1<<26) -#define QSSB_SYSCGROUP_MQ ((uint64_t)1<<27) -#define QSSB_SYSCGROUP_NEWMOUNT ((uint64_t)1<<28) -#define QSSB_SYSCGROUP_NONE ((uint64_t)1<<29) -#define QSSB_SYSCGROUP_NS ((uint64_t)1<<30) -#define QSSB_SYSCGROUP_PATH ((uint64_t)1<<31) -#define QSSB_SYSCGROUP_PAUSE ((uint64_t)1<<32) -#define QSSB_SYSCGROUP_PERF ((uint64_t)1<<33) -#define QSSB_SYSCGROUP_PERMS ((uint64_t)1<<34) -#define QSSB_SYSCGROUP_PIDFD ((uint64_t)1<<35) -#define QSSB_SYSCGROUP_PKEY ((uint64_t)1<<36) -#define QSSB_SYSCGROUP_POWER ((uint64_t)1<<37) -#define QSSB_SYSCGROUP_PRIO ((uint64_t)1<<38) -#define QSSB_SYSCGROUP_PROCESS ((uint64_t)1<<39) -#define QSSB_SYSCGROUP_PTRACE ((uint64_t)1<<40) -#define QSSB_SYSCGROUP_QUOTA ((uint64_t)1<<41) -#define QSSB_SYSCGROUP_RES ((uint64_t)1<<42) -#define QSSB_SYSCGROUP_RT ((uint64_t)1<<43) -#define QSSB_SYSCGROUP_SCHED ((uint64_t)1<<44) -#define QSSB_SYSCGROUP_SEM ((uint64_t)1<<45) -#define QSSB_SYSCGROUP_SHM ((uint64_t)1<<46) -#define QSSB_SYSCGROUP_SIGNAL ((uint64_t)1<<47) -#define QSSB_SYSCGROUP_SOCKET ((uint64_t)1<<48) -#define QSSB_SYSCGROUP_STAT ((uint64_t)1<<49) -#define QSSB_SYSCGROUP_STDIO ((uint64_t)1<<50) -#define QSSB_SYSCGROUP_SWAP ((uint64_t)1<<51) -#define QSSB_SYSCGROUP_SYS ((uint64_t)1<<52) -#define QSSB_SYSCGROUP_SYSCALL ((uint64_t)1<<53) -#define QSSB_SYSCGROUP_THREAD ((uint64_t)1<<54) -#define QSSB_SYSCGROUP_TIME ((uint64_t)1<<55) -#define QSSB_SYSCGROUP_TIMER ((uint64_t)1<<56) -#define QSSB_SYSCGROUP_TTY ((uint64_t)1<<57) -#define QSSB_SYSCGROUP_UMOUNT ((uint64_t)1<<58) -#define QSSB_SYSCGROUP_UNIMPLEMENTED ((uint64_t)1<<59) -#define QSSB_SYSCGROUP_XATTR ((uint64_t)1<<60) +#define EXILE_SYSCGROUP_CHROOT ((uint64_t)1<<0) +#define EXILE_SYSCGROUP_CLOCK ((uint64_t)1<<1) +#define EXILE_SYSCGROUP_CLONE ((uint64_t)1<<2) +#define EXILE_SYSCGROUP_DEFAULT_ALLOW ((uint64_t)1<<3) +#define EXILE_SYSCGROUP_DEV ((uint64_t)1<<4) +#define EXILE_SYSCGROUP_EXEC ((uint64_t)1<<5) +#define EXILE_SYSCGROUP_EXIT ((uint64_t)1<<6) +#define EXILE_SYSCGROUP_FANOTIFY ((uint64_t)1<<7) +#define EXILE_SYSCGROUP_FD ((uint64_t)1<<8) +#define EXILE_SYSCGROUP_FS ((uint64_t)1<<9) +#define EXILE_SYSCGROUP_FUTEX ((uint64_t)1<<10) +#define EXILE_SYSCGROUP_HOST ((uint64_t)1<<11) +#define EXILE_SYSCGROUP_ID ((uint64_t)1<<12) +#define EXILE_SYSCGROUP_INOTIFY ((uint64_t)1<<13) +#define EXILE_SYSCGROUP_IO ((uint64_t)1<<14) +#define EXILE_SYSCGROUP_IOCTL ((uint64_t)1<<15) +#define EXILE_SYSCGROUP_IOPL ((uint64_t)1<<16) +#define EXILE_SYSCGROUP_IOURING ((uint64_t)1<<17) +#define EXILE_SYSCGROUP_IPC ((uint64_t)1<<18) +#define EXILE_SYSCGROUP_KEXEC ((uint64_t)1<<19) +#define EXILE_SYSCGROUP_KEYS ((uint64_t)1<<20) +#define EXILE_SYSCGROUP_KILL ((uint64_t)1<<21) +#define EXILE_SYSCGROUP_KMOD ((uint64_t)1<<22) +#define EXILE_SYSCGROUP_LANDLOCK ((uint64_t)1<<23) +#define EXILE_SYSCGROUP_LIB ((uint64_t)1<<24) +#define EXILE_SYSCGROUP_MEMORY ((uint64_t)1<<25) +#define EXILE_SYSCGROUP_MOUNT ((uint64_t)1<<26) +#define EXILE_SYSCGROUP_MQ ((uint64_t)1<<27) +#define EXILE_SYSCGROUP_NEWMOUNT ((uint64_t)1<<28) +#define EXILE_SYSCGROUP_NONE ((uint64_t)1<<29) +#define EXILE_SYSCGROUP_NS ((uint64_t)1<<30) +#define EXILE_SYSCGROUP_PATH ((uint64_t)1<<31) +#define EXILE_SYSCGROUP_PAUSE ((uint64_t)1<<32) +#define EXILE_SYSCGROUP_PERF ((uint64_t)1<<33) +#define EXILE_SYSCGROUP_PERMS ((uint64_t)1<<34) +#define EXILE_SYSCGROUP_PIDFD ((uint64_t)1<<35) +#define EXILE_SYSCGROUP_PKEY ((uint64_t)1<<36) +#define EXILE_SYSCGROUP_POWER ((uint64_t)1<<37) +#define EXILE_SYSCGROUP_PRIO ((uint64_t)1<<38) +#define EXILE_SYSCGROUP_PROCESS ((uint64_t)1<<39) +#define EXILE_SYSCGROUP_PTRACE ((uint64_t)1<<40) +#define EXILE_SYSCGROUP_QUOTA ((uint64_t)1<<41) +#define EXILE_SYSCGROUP_RES ((uint64_t)1<<42) +#define EXILE_SYSCGROUP_RT ((uint64_t)1<<43) +#define EXILE_SYSCGROUP_SCHED ((uint64_t)1<<44) +#define EXILE_SYSCGROUP_SEM ((uint64_t)1<<45) +#define EXILE_SYSCGROUP_SHM ((uint64_t)1<<46) +#define EXILE_SYSCGROUP_SIGNAL ((uint64_t)1<<47) +#define EXILE_SYSCGROUP_SOCKET ((uint64_t)1<<48) +#define EXILE_SYSCGROUP_STAT ((uint64_t)1<<49) +#define EXILE_SYSCGROUP_STDIO ((uint64_t)1<<50) +#define EXILE_SYSCGROUP_SWAP ((uint64_t)1<<51) +#define EXILE_SYSCGROUP_SYS ((uint64_t)1<<52) +#define EXILE_SYSCGROUP_SYSCALL ((uint64_t)1<<53) +#define EXILE_SYSCGROUP_THREAD ((uint64_t)1<<54) +#define EXILE_SYSCGROUP_TIME ((uint64_t)1<<55) +#define EXILE_SYSCGROUP_TIMER ((uint64_t)1<<56) +#define EXILE_SYSCGROUP_TTY ((uint64_t)1<<57) +#define EXILE_SYSCGROUP_UMOUNT ((uint64_t)1<<58) +#define EXILE_SYSCGROUP_UNIMPLEMENTED ((uint64_t)1<<59) +#define EXILE_SYSCGROUP_XATTR ((uint64_t)1<<60) struct syscall_group_map { @@ -299,378 +299,378 @@ struct syscall_group_map }; struct syscall_group_map sc_group_map[] = { -{QSSB_SYS(read), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(write), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(open), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(close), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(stat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(lstat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(poll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(lseek), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(mmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(mprotect), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(munmap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(brk), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigaction), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigprocmask), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigreturn), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(ioctl), QSSB_SYSCGROUP_IOCTL|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(pread64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(pwrite64), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(readv), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(writev), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(access), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(pipe), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(select), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(sched_yield), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(mremap), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(msync), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(mincore), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(madvise), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(shmget), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(shmat), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(shmctl), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(dup), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(dup2), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(pause), QSSB_SYSCGROUP_PAUSE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(nanosleep), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(alarm), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setitimer), QSSB_SYSCGROUP_TIMER|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getpid), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(sendfile), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(socket), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(connect), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(accept), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(sendto), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(recvfrom), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(sendmsg), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(recvmsg), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(shutdown), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(bind), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(listen), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(getsockname), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(getpeername), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(socketpair), QSSB_SYSCGROUP_SOCKET|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(setsockopt), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(getsockopt), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(clone), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(fork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(vfork), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(execve), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_EXEC}, -{QSSB_SYS(exit), QSSB_SYSCGROUP_PROCESS|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(wait4), QSSB_SYSCGROUP_EXEC}, -{QSSB_SYS(kill), QSSB_SYSCGROUP_KILL}, -{QSSB_SYS(uname), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(semget), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(semop), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(semctl), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(shmdt), QSSB_SYSCGROUP_SHM|QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(msgget), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(msgsnd), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(msgrcv), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(msgctl), QSSB_SYSCGROUP_IPC|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(fcntl), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(flock), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(fsync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(fdatasync), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(truncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(ftruncate), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(getdents), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(getcwd), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(chdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fchdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(rename), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(mkdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(rmdir), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(creat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(link), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(unlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(symlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(readlink), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(chmod), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fchmod), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(chown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(lchown), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(umask), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(gettimeofday), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getrlimit), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getrusage), QSSB_SYSCGROUP_RES|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(sysinfo), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(times), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(ptrace), QSSB_SYSCGROUP_PTRACE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(syslog), QSSB_SYSCGROUP_SYS}, -{QSSB_SYS(getgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setuid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(setgid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(geteuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getegid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setpgid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(getppid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getpgrp), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setsid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(setreuid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(setregid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(getgroups), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setgroups), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(setresuid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(getresuid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setresgid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(getresgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(getpgid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(setfsuid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(setfsgid), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(getsid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(capget), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(capset), QSSB_SYSCGROUP_ID}, -{QSSB_SYS(rt_sigpending), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigtimedwait), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigqueueinfo), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(rt_sigsuspend), QSSB_SYSCGROUP_RT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(sigaltstack), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL}, -{QSSB_SYS(utime), QSSB_SYSCGROUP_TIME|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(mknod), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(uselib), QSSB_SYSCGROUP_LIB|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(personality), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(ustat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(statfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fstatfs), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(sysfs), QSSB_SYSCGROUP_SYS|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(getpriority), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(setpriority), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_setparam), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_getparam), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_setscheduler), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_getscheduler), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_get_priority_max), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_get_priority_min), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_rr_get_interval), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(mlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(munlock), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(mlockall), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(munlockall), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(vhangup), QSSB_SYSCGROUP_TTY}, -{QSSB_SYS(modify_ldt), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(pivot_root), QSSB_SYSCGROUP_CHROOT}, -{QSSB_SYS(_sysctl), QSSB_SYSCGROUP_SYS}, -{QSSB_SYS(prctl), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(arch_prctl), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(adjtimex), QSSB_SYSCGROUP_CLOCK}, -{QSSB_SYS(setrlimit), QSSB_SYSCGROUP_RES}, -{QSSB_SYS(chroot), QSSB_SYSCGROUP_CHROOT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(sync), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(acct), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(settimeofday), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(mount), QSSB_SYSCGROUP_MOUNT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(umount2), QSSB_SYSCGROUP_UMOUNT|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(swapon), QSSB_SYSCGROUP_SWAP}, -{QSSB_SYS(swapoff), QSSB_SYSCGROUP_SWAP}, -{QSSB_SYS(reboot), QSSB_SYSCGROUP_POWER}, -{QSSB_SYS(sethostname), QSSB_SYSCGROUP_HOST}, -{QSSB_SYS(setdomainname), QSSB_SYSCGROUP_HOST}, -{QSSB_SYS(iopl), QSSB_SYSCGROUP_IOPL}, -{QSSB_SYS(ioperm), QSSB_SYSCGROUP_IOPL}, -{QSSB_SYS(create_module), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(init_module), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(delete_module), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(get_kernel_syms), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(query_module), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(quotactl), QSSB_SYSCGROUP_QUOTA}, -{QSSB_SYS(nfsservctl), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(getpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(putpmsg), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(afs_syscall), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(tuxcall), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(security), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(gettid), QSSB_SYSCGROUP_ID|QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(readahead), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(setxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(lsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fsetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(getxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(lgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fgetxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(listxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(llistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(flistxattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(removexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(lremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fremovexattr), QSSB_SYSCGROUP_XATTR|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(tkill), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_SIGNAL}, -{QSSB_SYS(time), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(futex), QSSB_SYSCGROUP_THREAD|QSSB_SYSCGROUP_FUTEX}, -{QSSB_SYS(sched_setaffinity), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_getaffinity), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(set_thread_area), QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(io_setup), QSSB_SYSCGROUP_IO}, -{QSSB_SYS(io_destroy), QSSB_SYSCGROUP_IO}, -{QSSB_SYS(io_getevents), QSSB_SYSCGROUP_IO}, -{QSSB_SYS(io_submit), QSSB_SYSCGROUP_IO}, -{QSSB_SYS(io_cancel), QSSB_SYSCGROUP_IO}, -{QSSB_SYS(get_thread_area), QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(lookup_dcookie), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(epoll_create), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(epoll_ctl_old), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(epoll_wait_old), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(remap_file_pages), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(getdents64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(set_tid_address), QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(restart_syscall), QSSB_SYSCGROUP_SYSCALL}, -{QSSB_SYS(semtimedop), QSSB_SYSCGROUP_SEM}, -{QSSB_SYS(fadvise64), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD}, -{QSSB_SYS(timer_create), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(timer_settime), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(timer_gettime), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(timer_getoverrun), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(timer_delete), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(clock_settime), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(clock_gettime), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(clock_getres), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(clock_nanosleep), QSSB_SYSCGROUP_TIME}, -{QSSB_SYS(exit_group), QSSB_SYSCGROUP_EXIT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(epoll_wait), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(epoll_ctl), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(tgkill), QSSB_SYSCGROUP_SIGNAL|QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(utimes), QSSB_SYSCGROUP_PATH}, -{QSSB_SYS(vserver), QSSB_SYSCGROUP_UNIMPLEMENTED}, -{QSSB_SYS(mbind), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(set_mempolicy), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(get_mempolicy), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(mq_open), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(mq_unlink), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(mq_timedsend), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(mq_timedreceive), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(mq_notify), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(mq_getsetattr), QSSB_SYSCGROUP_MQ|QSSB_SYSCGROUP_IPC}, -{QSSB_SYS(kexec_load), QSSB_SYSCGROUP_KEXEC}, -{QSSB_SYS(waitid), QSSB_SYSCGROUP_SIGNAL}, -{QSSB_SYS(add_key), QSSB_SYSCGROUP_KEYS}, -{QSSB_SYS(request_key), QSSB_SYSCGROUP_KEYS}, -{QSSB_SYS(keyctl), QSSB_SYSCGROUP_KEYS}, -{QSSB_SYS(ioprio_set), QSSB_SYSCGROUP_PRIO}, -{QSSB_SYS(ioprio_get), QSSB_SYSCGROUP_PRIO}, -{QSSB_SYS(inotify_init), QSSB_SYSCGROUP_INOTIFY}, -{QSSB_SYS(inotify_add_watch), QSSB_SYSCGROUP_INOTIFY}, -{QSSB_SYS(inotify_rm_watch), QSSB_SYSCGROUP_INOTIFY}, -{QSSB_SYS(migrate_pages), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(openat), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(mkdirat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(mknodat), QSSB_SYSCGROUP_DEV|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fchownat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(futimesat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(newfstatat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(unlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(renameat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(linkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(symlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(readlinkat), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(fchmodat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(faccessat), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(pselect6), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(ppoll), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(unshare), QSSB_SYSCGROUP_NS|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(set_robust_list), QSSB_SYSCGROUP_FUTEX}, -{QSSB_SYS(get_robust_list), QSSB_SYSCGROUP_FUTEX}, -{QSSB_SYS(splice), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(tee), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(sync_file_range), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(vmsplice), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(move_pages), QSSB_SYSCGROUP_PROCESS}, -{QSSB_SYS(utimensat), QSSB_SYSCGROUP_PATH}, -{QSSB_SYS(epoll_pwait), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(signalfd), QSSB_SYSCGROUP_SIGNAL}, -{QSSB_SYS(timerfd_create), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(eventfd), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(fallocate), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_FD}, -{QSSB_SYS(timerfd_settime), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(timerfd_gettime), QSSB_SYSCGROUP_TIMER}, -{QSSB_SYS(accept4), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(signalfd4), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(eventfd2), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(epoll_create1), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(dup3), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(pipe2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(inotify_init1), QSSB_SYSCGROUP_INOTIFY}, -{QSSB_SYS(preadv), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(pwritev), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(rt_tgsigqueueinfo), QSSB_SYSCGROUP_RT}, -{QSSB_SYS(perf_event_open), QSSB_SYSCGROUP_PERF}, -{QSSB_SYS(recvmmsg), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(fanotify_init), QSSB_SYSCGROUP_FANOTIFY}, -{QSSB_SYS(fanotify_mark), QSSB_SYSCGROUP_FANOTIFY}, -{QSSB_SYS(prlimit64), QSSB_SYSCGROUP_RES}, -{QSSB_SYS(name_to_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(open_by_handle_at), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_FS}, -{QSSB_SYS(clock_adjtime), QSSB_SYSCGROUP_CLOCK}, -{QSSB_SYS(syncfs), QSSB_SYSCGROUP_FD}, -{QSSB_SYS(sendmmsg), QSSB_SYSCGROUP_SOCKET}, -{QSSB_SYS(setns), QSSB_SYSCGROUP_NS}, -{QSSB_SYS(getcpu), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(process_vm_readv), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(process_vm_writev), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(kcmp), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(finit_module), QSSB_SYSCGROUP_KMOD}, -{QSSB_SYS(sched_setattr), QSSB_SYSCGROUP_SCHED}, -{QSSB_SYS(sched_getattr), QSSB_SYSCGROUP_SCHED|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(renameat2), QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(seccomp), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(getrandom), QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(memfd_create), QSSB_SYSCGROUP_MEMORY|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(kexec_file_load), QSSB_SYSCGROUP_KEXEC}, -{QSSB_SYS(bpf), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(execveat), QSSB_SYSCGROUP_EXEC}, -{QSSB_SYS(userfaultfd), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(membarrier), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(mlock2), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(copy_file_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(preadv2), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(pwritev2), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(pkey_mprotect), QSSB_SYSCGROUP_PKEY}, -{QSSB_SYS(pkey_alloc), QSSB_SYSCGROUP_PKEY}, -{QSSB_SYS(pkey_free), QSSB_SYSCGROUP_PKEY}, -{QSSB_SYS(statx), QSSB_SYSCGROUP_STAT|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(io_pgetevents), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(rseq), QSSB_SYSCGROUP_THREAD}, -{QSSB_SYS(pidfd_send_signal), QSSB_SYSCGROUP_PIDFD}, -{QSSB_SYS(io_uring_setup), QSSB_SYSCGROUP_IOURING}, -{QSSB_SYS(io_uring_enter), QSSB_SYSCGROUP_IOURING}, -{QSSB_SYS(io_uring_register), QSSB_SYSCGROUP_IOURING}, -{QSSB_SYS(open_tree), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(move_mount), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(fsopen), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(fsconfig), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(fsmount), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(fspick), QSSB_SYSCGROUP_NEWMOUNT}, -{QSSB_SYS(pidfd_open), QSSB_SYSCGROUP_PIDFD}, -{QSSB_SYS(clone3), QSSB_SYSCGROUP_CLONE|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(close_range), QSSB_SYSCGROUP_STDIO|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(openat2), QSSB_SYSCGROUP_FD|QSSB_SYSCGROUP_PATH|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(pidfd_getfd), QSSB_SYSCGROUP_PIDFD}, -{QSSB_SYS(faccessat2), QSSB_SYSCGROUP_PERMS|QSSB_SYSCGROUP_DEFAULT_ALLOW}, -{QSSB_SYS(process_madvise), QSSB_SYSCGROUP_MEMORY}, -{QSSB_SYS(epoll_pwait2), QSSB_SYSCGROUP_STDIO}, -{QSSB_SYS(mount_setattr), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(quotactl_fd), QSSB_SYSCGROUP_QUOTA}, -{QSSB_SYS(landlock_create_ruleset), QSSB_SYSCGROUP_LANDLOCK}, -{QSSB_SYS(landlock_add_rule), QSSB_SYSCGROUP_LANDLOCK}, -{QSSB_SYS(landlock_restrict_self), QSSB_SYSCGROUP_LANDLOCK}, -{QSSB_SYS(memfd_secret), QSSB_SYSCGROUP_NONE}, -{QSSB_SYS(process_mrelease), QSSB_SYSCGROUP_NONE} +{EXILE_SYS(read), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(write), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(open), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(close), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(stat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fstat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(lstat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(poll), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(lseek), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(mmap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(mprotect), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(munmap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(brk), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigaction), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigprocmask), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigreturn), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(ioctl), EXILE_SYSCGROUP_IOCTL|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(pread64), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(pwrite64), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(readv), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(writev), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(access), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(pipe), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(select), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(sched_yield), EXILE_SYSCGROUP_SCHED|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(mremap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(msync), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(mincore), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(madvise), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(shmget), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(shmat), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(shmctl), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(dup), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(dup2), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(pause), EXILE_SYSCGROUP_PAUSE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(nanosleep), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getitimer), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(alarm), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setitimer), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getpid), EXILE_SYSCGROUP_PROCESS|EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(sendfile), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(socket), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(connect), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(accept), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(sendto), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(recvfrom), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(sendmsg), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(recvmsg), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(shutdown), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(bind), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(listen), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(getsockname), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(getpeername), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(socketpair), EXILE_SYSCGROUP_SOCKET|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(setsockopt), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(getsockopt), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(clone), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(fork), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(vfork), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(execve), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_EXEC}, +{EXILE_SYS(exit), EXILE_SYSCGROUP_PROCESS|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(wait4), EXILE_SYSCGROUP_EXEC}, +{EXILE_SYS(kill), EXILE_SYSCGROUP_KILL}, +{EXILE_SYS(uname), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(semget), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(semop), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(semctl), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(shmdt), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(msgget), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(msgsnd), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(msgrcv), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(msgctl), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(fcntl), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(flock), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(fsync), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(fdatasync), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(truncate), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(ftruncate), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(getdents), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(getcwd), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(chdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fchdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(rename), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(mkdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(rmdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(creat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(link), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(unlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(symlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(readlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(chmod), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fchmod), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(chown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fchown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(lchown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(umask), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(gettimeofday), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getrlimit), EXILE_SYSCGROUP_RES|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getrusage), EXILE_SYSCGROUP_RES|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(sysinfo), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(times), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(ptrace), EXILE_SYSCGROUP_PTRACE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(syslog), EXILE_SYSCGROUP_SYS}, +{EXILE_SYS(getgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setuid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(setgid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(geteuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getegid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setpgid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(getppid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getpgrp), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setsid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(setreuid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(setregid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(getgroups), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setgroups), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(setresuid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(getresuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setresgid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(getresgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(getpgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(setfsuid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(setfsgid), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(getsid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(capget), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(capset), EXILE_SYSCGROUP_ID}, +{EXILE_SYS(rt_sigpending), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigtimedwait), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigqueueinfo), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(rt_sigsuspend), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(sigaltstack), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_SIGNAL}, +{EXILE_SYS(utime), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(mknod), EXILE_SYSCGROUP_DEV|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(uselib), EXILE_SYSCGROUP_LIB|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(personality), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(ustat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(statfs), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fstatfs), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(sysfs), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(getpriority), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(setpriority), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_setparam), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_getparam), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_setscheduler), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_getscheduler), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_get_priority_max), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_get_priority_min), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_rr_get_interval), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(mlock), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(munlock), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(mlockall), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(munlockall), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(vhangup), EXILE_SYSCGROUP_TTY}, +{EXILE_SYS(modify_ldt), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(pivot_root), EXILE_SYSCGROUP_CHROOT}, +{EXILE_SYS(_sysctl), EXILE_SYSCGROUP_SYS}, +{EXILE_SYS(prctl), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(arch_prctl), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(adjtimex), EXILE_SYSCGROUP_CLOCK}, +{EXILE_SYS(setrlimit), EXILE_SYSCGROUP_RES}, +{EXILE_SYS(chroot), EXILE_SYSCGROUP_CHROOT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(sync), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(acct), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(settimeofday), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(mount), EXILE_SYSCGROUP_MOUNT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(umount2), EXILE_SYSCGROUP_UMOUNT|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(swapon), EXILE_SYSCGROUP_SWAP}, +{EXILE_SYS(swapoff), EXILE_SYSCGROUP_SWAP}, +{EXILE_SYS(reboot), EXILE_SYSCGROUP_POWER}, +{EXILE_SYS(sethostname), EXILE_SYSCGROUP_HOST}, +{EXILE_SYS(setdomainname), EXILE_SYSCGROUP_HOST}, +{EXILE_SYS(iopl), EXILE_SYSCGROUP_IOPL}, +{EXILE_SYS(ioperm), EXILE_SYSCGROUP_IOPL}, +{EXILE_SYS(create_module), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(init_module), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(delete_module), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(get_kernel_syms), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(query_module), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(quotactl), EXILE_SYSCGROUP_QUOTA}, +{EXILE_SYS(nfsservctl), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(getpmsg), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(putpmsg), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(afs_syscall), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(tuxcall), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(security), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(gettid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(readahead), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(setxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(lsetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fsetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(getxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(lgetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fgetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(listxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(llistxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(flistxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(removexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(lremovexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fremovexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(tkill), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_SIGNAL}, +{EXILE_SYS(time), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(futex), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_FUTEX}, +{EXILE_SYS(sched_setaffinity), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_getaffinity), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(set_thread_area), EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(io_setup), EXILE_SYSCGROUP_IO}, +{EXILE_SYS(io_destroy), EXILE_SYSCGROUP_IO}, +{EXILE_SYS(io_getevents), EXILE_SYSCGROUP_IO}, +{EXILE_SYS(io_submit), EXILE_SYSCGROUP_IO}, +{EXILE_SYS(io_cancel), EXILE_SYSCGROUP_IO}, +{EXILE_SYS(get_thread_area), EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(lookup_dcookie), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(epoll_create), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(epoll_ctl_old), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(epoll_wait_old), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(remap_file_pages), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(getdents64), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(set_tid_address), EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(restart_syscall), EXILE_SYSCGROUP_SYSCALL}, +{EXILE_SYS(semtimedop), EXILE_SYSCGROUP_SEM}, +{EXILE_SYS(fadvise64), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FD}, +{EXILE_SYS(timer_create), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(timer_settime), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(timer_gettime), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(timer_getoverrun), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(timer_delete), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(clock_settime), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(clock_gettime), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(clock_getres), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(clock_nanosleep), EXILE_SYSCGROUP_TIME}, +{EXILE_SYS(exit_group), EXILE_SYSCGROUP_EXIT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(epoll_wait), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(epoll_ctl), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(tgkill), EXILE_SYSCGROUP_SIGNAL|EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(utimes), EXILE_SYSCGROUP_PATH}, +{EXILE_SYS(vserver), EXILE_SYSCGROUP_UNIMPLEMENTED}, +{EXILE_SYS(mbind), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(set_mempolicy), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(get_mempolicy), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(mq_open), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(mq_unlink), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(mq_timedsend), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(mq_timedreceive), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(mq_notify), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(mq_getsetattr), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC}, +{EXILE_SYS(kexec_load), EXILE_SYSCGROUP_KEXEC}, +{EXILE_SYS(waitid), EXILE_SYSCGROUP_SIGNAL}, +{EXILE_SYS(add_key), EXILE_SYSCGROUP_KEYS}, +{EXILE_SYS(request_key), EXILE_SYSCGROUP_KEYS}, +{EXILE_SYS(keyctl), EXILE_SYSCGROUP_KEYS}, +{EXILE_SYS(ioprio_set), EXILE_SYSCGROUP_PRIO}, +{EXILE_SYS(ioprio_get), EXILE_SYSCGROUP_PRIO}, +{EXILE_SYS(inotify_init), EXILE_SYSCGROUP_INOTIFY}, +{EXILE_SYS(inotify_add_watch), EXILE_SYSCGROUP_INOTIFY}, +{EXILE_SYS(inotify_rm_watch), EXILE_SYSCGROUP_INOTIFY}, +{EXILE_SYS(migrate_pages), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(openat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(mkdirat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(mknodat), EXILE_SYSCGROUP_DEV|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fchownat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(futimesat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(newfstatat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(unlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(renameat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(linkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(symlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(readlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(fchmodat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(faccessat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(pselect6), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(ppoll), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(unshare), EXILE_SYSCGROUP_NS|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(set_robust_list), EXILE_SYSCGROUP_FUTEX}, +{EXILE_SYS(get_robust_list), EXILE_SYSCGROUP_FUTEX}, +{EXILE_SYS(splice), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(tee), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(sync_file_range), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(vmsplice), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(move_pages), EXILE_SYSCGROUP_PROCESS}, +{EXILE_SYS(utimensat), EXILE_SYSCGROUP_PATH}, +{EXILE_SYS(epoll_pwait), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(signalfd), EXILE_SYSCGROUP_SIGNAL}, +{EXILE_SYS(timerfd_create), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(eventfd), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(fallocate), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FD}, +{EXILE_SYS(timerfd_settime), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(timerfd_gettime), EXILE_SYSCGROUP_TIMER}, +{EXILE_SYS(accept4), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(signalfd4), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(eventfd2), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(epoll_create1), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(dup3), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(pipe2), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(inotify_init1), EXILE_SYSCGROUP_INOTIFY}, +{EXILE_SYS(preadv), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(pwritev), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(rt_tgsigqueueinfo), EXILE_SYSCGROUP_RT}, +{EXILE_SYS(perf_event_open), EXILE_SYSCGROUP_PERF}, +{EXILE_SYS(recvmmsg), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(fanotify_init), EXILE_SYSCGROUP_FANOTIFY}, +{EXILE_SYS(fanotify_mark), EXILE_SYSCGROUP_FANOTIFY}, +{EXILE_SYS(prlimit64), EXILE_SYSCGROUP_RES}, +{EXILE_SYS(name_to_handle_at), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(open_by_handle_at), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS}, +{EXILE_SYS(clock_adjtime), EXILE_SYSCGROUP_CLOCK}, +{EXILE_SYS(syncfs), EXILE_SYSCGROUP_FD}, +{EXILE_SYS(sendmmsg), EXILE_SYSCGROUP_SOCKET}, +{EXILE_SYS(setns), EXILE_SYSCGROUP_NS}, +{EXILE_SYS(getcpu), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(process_vm_readv), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(process_vm_writev), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(kcmp), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(finit_module), EXILE_SYSCGROUP_KMOD}, +{EXILE_SYS(sched_setattr), EXILE_SYSCGROUP_SCHED}, +{EXILE_SYS(sched_getattr), EXILE_SYSCGROUP_SCHED|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(renameat2), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(seccomp), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(getrandom), EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(memfd_create), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(kexec_file_load), EXILE_SYSCGROUP_KEXEC}, +{EXILE_SYS(bpf), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(execveat), EXILE_SYSCGROUP_EXEC}, +{EXILE_SYS(userfaultfd), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(membarrier), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(mlock2), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(copy_file_range), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(preadv2), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(pwritev2), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(pkey_mprotect), EXILE_SYSCGROUP_PKEY}, +{EXILE_SYS(pkey_alloc), EXILE_SYSCGROUP_PKEY}, +{EXILE_SYS(pkey_free), EXILE_SYSCGROUP_PKEY}, +{EXILE_SYS(statx), EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(io_pgetevents), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(rseq), EXILE_SYSCGROUP_THREAD}, +{EXILE_SYS(pidfd_send_signal), EXILE_SYSCGROUP_PIDFD}, +{EXILE_SYS(io_uring_setup), EXILE_SYSCGROUP_IOURING}, +{EXILE_SYS(io_uring_enter), EXILE_SYSCGROUP_IOURING}, +{EXILE_SYS(io_uring_register), EXILE_SYSCGROUP_IOURING}, +{EXILE_SYS(open_tree), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(move_mount), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(fsopen), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(fsconfig), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(fsmount), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(fspick), EXILE_SYSCGROUP_NEWMOUNT}, +{EXILE_SYS(pidfd_open), EXILE_SYSCGROUP_PIDFD}, +{EXILE_SYS(clone3), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(close_range), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(openat2), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(pidfd_getfd), EXILE_SYSCGROUP_PIDFD}, +{EXILE_SYS(faccessat2), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW}, +{EXILE_SYS(process_madvise), EXILE_SYSCGROUP_MEMORY}, +{EXILE_SYS(epoll_pwait2), EXILE_SYSCGROUP_STDIO}, +{EXILE_SYS(mount_setattr), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(quotactl_fd), EXILE_SYSCGROUP_QUOTA}, +{EXILE_SYS(landlock_create_ruleset), EXILE_SYSCGROUP_LANDLOCK}, +{EXILE_SYS(landlock_add_rule), EXILE_SYSCGROUP_LANDLOCK}, +{EXILE_SYS(landlock_restrict_self), EXILE_SYSCGROUP_LANDLOCK}, +{EXILE_SYS(memfd_secret), EXILE_SYSCGROUP_NONE}, +{EXILE_SYS(process_mrelease), EXILE_SYSCGROUP_NONE} }; -struct qssb_path_policy +struct exile_path_policy { const char *path; unsigned int policy; - struct qssb_path_policy *next; + struct exile_path_policy *next; }; -struct qssb_allocated_entry +struct exile_allocated_entry { void *data; /* the actual data */ size_t size; /* number of bytes allocated for data */ @@ -678,26 +678,26 @@ struct qssb_allocated_entry }; /* Special value */ -#define QSSB_SYSCALL_MATCH_ALL -1 +#define EXILE_SYSCALL_MATCH_ALL -1 -#define QSSB_SYSCALL_ALLOW 1 -#define QSSB_SYSCALL_DENY_KILL_PROCESS 2 -#define QSSB_SYSCALL_DENY_RET_ERROR 3 +#define EXILE_SYSCALL_ALLOW 1 +#define EXILE_SYSCALL_DENY_KILL_PROCESS 2 +#define EXILE_SYSCALL_DENY_RET_ERROR 3 -struct qssb_syscall_policy +struct exile_syscall_policy { - struct qssb_allocated_entry syscall; + struct exile_allocated_entry syscall; unsigned int policy; - struct qssb_syscall_policy *next; + struct exile_syscall_policy *next; }; -/* Number of bytes to grow the buffer in qssb_allocated_entry with */ -#define QSSB_ENTRY_ALLOC_SIZE 32 +/* Number of bytes to grow the buffer in exile_allocated_entry with */ +#define EXILE_ENTRY_ALLOC_SIZE 32 -/* Policy tells qssb what to do */ -struct qssb_policy +/* Policy tells exile what to do */ +struct exile_policy { int drop_caps; int preserve_cwd; @@ -713,32 +713,32 @@ struct qssb_policy char chroot_target_path[PATH_MAX]; const char *chdir_path; - /* Do not manually add policies here, use qssb_append_path_polic*() */ - struct qssb_path_policy *path_policies; - struct qssb_path_policy **path_policies_tail; + /* Do not manually add policies here, use exile_append_path_polic*() */ + struct exile_path_policy *path_policies; + struct exile_path_policy **path_policies_tail; - /* Do not manually add policies here, use qssb_append_syscall_policy() */ - struct qssb_syscall_policy *syscall_policies; - struct qssb_syscall_policy **syscall_policies_tail; + /* Do not manually add policies here, use exile_append_syscall_policy() */ + struct exile_syscall_policy *syscall_policies; + struct exile_syscall_policy **syscall_policies_tail; }; -static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, size_t bytes) +static int exile_entry_append(struct exile_allocated_entry *entry, void *data, size_t bytes) { size_t remaining = entry->size - entry->used; if(remaining < bytes) { - size_t expandval = QSSB_ENTRY_ALLOC_SIZE > bytes ? QSSB_ENTRY_ALLOC_SIZE : bytes; + size_t expandval = EXILE_ENTRY_ALLOC_SIZE > bytes ? EXILE_ENTRY_ALLOC_SIZE : bytes; size_t sizenew = 0; if(__builtin_add_overflow(entry->size, expandval, &sizenew)) { - QSSB_LOG_ERROR("overflow in qssb_entry_append\n"); + EXILE_LOG_ERROR("overflow in exile_entry_append\n"); return -EINVAL; } int *datanew = (int *) realloc(entry->data, sizenew); if(datanew == NULL) { - QSSB_LOG_ERROR("failed to resize array: %s\n", strerror(errno)); + EXILE_LOG_ERROR("failed to resize array: %s\n", strerror(errno)); return -1; } entry->size = sizenew; @@ -750,75 +750,75 @@ static int qssb_entry_append(struct qssb_allocated_entry *entry, void *data, siz return 0; } -static int qssb_append_syscall(struct qssb_allocated_entry *entry, long *syscalls, size_t n) +static int exile_append_syscall(struct exile_allocated_entry *entry, long *syscalls, size_t n) { size_t bytes = 0; if(__builtin_mul_overflow(n, sizeof(long), &bytes)) { - QSSB_LOG_ERROR("Overflow while trying to add system calls\n"); + EXILE_LOG_ERROR("Overflow while trying to add system calls\n"); return -EINVAL; } - return qssb_entry_append(entry, syscalls, bytes); + return exile_entry_append(entry, syscalls, bytes); } static int is_valid_syscall_policy(unsigned int policy) { - return policy == QSSB_SYSCALL_ALLOW || policy == QSSB_SYSCALL_DENY_RET_ERROR || policy == QSSB_SYSCALL_DENY_KILL_PROCESS; + return policy == EXILE_SYSCALL_ALLOW || policy == EXILE_SYSCALL_DENY_RET_ERROR || policy == EXILE_SYSCALL_DENY_KILL_PROCESS; } -static void get_syscall_array(struct qssb_syscall_policy *policy, long **syscall, size_t *n) +static void get_syscall_array(struct exile_syscall_policy *policy, long **syscall, size_t *n) { *syscall = (long *) policy->syscall.data; *n = policy->syscall.used / sizeof(long); } -int qssb_append_syscalls_policy(struct qssb_policy *qssb_policy, unsigned int syscall_policy, long *syscalls, size_t n) +int exile_append_syscalls_policy(struct exile_policy *exile_policy, unsigned int syscall_policy, long *syscalls, size_t n) { /* Check whether we already have this policy. If so, merge new entries to the existing ones */ - struct qssb_syscall_policy *current_policy = qssb_policy->syscall_policies; + struct exile_syscall_policy *current_policy = exile_policy->syscall_policies; while(current_policy) { if(current_policy->policy == syscall_policy) { - return qssb_append_syscall(¤t_policy->syscall, syscalls, n); + return exile_append_syscall(¤t_policy->syscall, syscalls, n); } current_policy = current_policy->next; } /* We don't so we create a new policy */ - struct qssb_syscall_policy *newpolicy = (struct qssb_syscall_policy *) calloc(1, sizeof(struct qssb_syscall_policy)); + struct exile_syscall_policy *newpolicy = (struct exile_syscall_policy *) calloc(1, sizeof(struct exile_syscall_policy)); if(newpolicy == NULL) { - QSSB_LOG_ERROR("Failed to allocate memory for syscall policy\n"); + EXILE_LOG_ERROR("Failed to allocate memory for syscall policy\n"); return -1; } - int ret = qssb_append_syscall(&newpolicy->syscall, syscalls, n); + int ret = exile_append_syscall(&newpolicy->syscall, syscalls, n); if(ret != 0) { free(newpolicy); - QSSB_LOG_ERROR("Failed to append syscall\n"); + EXILE_LOG_ERROR("Failed to append syscall\n"); return -1; } newpolicy->next = NULL; newpolicy->policy = syscall_policy; - *(qssb_policy->syscall_policies_tail) = newpolicy; - qssb_policy->syscall_policies_tail = &(newpolicy->next); + *(exile_policy->syscall_policies_tail) = newpolicy; + exile_policy->syscall_policies_tail = &(newpolicy->next); - qssb_policy->disable_syscall_filter = 0; + exile_policy->disable_syscall_filter = 0; return 0; } -int qssb_append_syscall_policy(struct qssb_policy *qssb_policy, unsigned int syscall_policy, long syscall) +int exile_append_syscall_policy(struct exile_policy *exile_policy, unsigned int syscall_policy, long syscall) { - return qssb_append_syscalls_policy(qssb_policy, syscall_policy, &syscall, 1); + return exile_append_syscalls_policy(exile_policy, syscall_policy, &syscall, 1); } -int qssb_append_syscall_default_policy(struct qssb_policy *qssb_policy, unsigned int default_policy) +int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsigned int default_policy) { - return qssb_append_syscall_policy(qssb_policy, default_policy, QSSB_SYSCALL_MATCH_ALL); + return exile_append_syscall_policy(exile_policy, default_policy, EXILE_SYSCALL_MATCH_ALL); } static void get_group_syscalls(uint64_t mask, long *syscalls, size_t *n) @@ -836,38 +836,38 @@ static void get_group_syscalls(uint64_t mask, long *syscalls, size_t *n) *n = count; } -int qssb_append_group_syscall_policy(struct qssb_policy *qssb_policy, unsigned int syscall_policy, uint64_t groupmask) +int exile_append_group_syscall_policy(struct exile_policy *exile_policy, unsigned int syscall_policy, uint64_t groupmask) { long syscalls[400] = { 0 }; size_t n = 0; - if(groupmask & QSSB_SYSCGROUP_NONE) + if(groupmask & EXILE_SYSCGROUP_NONE) { - QSSB_LOG_ERROR("Error: 'None' is an illegal group name\n"); + EXILE_LOG_ERROR("Error: 'None' is an illegal group name\n"); return -EINVAL; } get_group_syscalls(groupmask, syscalls, &n); if(n == 0) { - QSSB_LOG_ERROR("Error: No syscalls found for group mask\n"); + EXILE_LOG_ERROR("Error: No syscalls found for group mask\n"); return -EINVAL; } - return qssb_append_syscalls_policy(qssb_policy, syscall_policy, syscalls, n); + return exile_append_syscalls_policy(exile_policy, syscall_policy, syscalls, n); } /* Creates the default policy - * Must be freed using qssb_free_policy + * Must be freed using exile_free_policy * @returns: default policy */ -struct qssb_policy *qssb_init_policy() +struct exile_policy *exile_init_policy() { - struct qssb_policy *result = (struct qssb_policy *) calloc(1, sizeof(struct qssb_policy)); + struct exile_policy *result = (struct exile_policy *) calloc(1, sizeof(struct exile_policy)); result->drop_caps = 1; result->not_dumpable = 1; result->no_new_privs = 1; result->no_fs = 0; result->no_new_fds = 0; - result->namespace_options = QSSB_UNSHARE_MOUNT | QSSB_UNSHARE_USER; + result->namespace_options = EXILE_UNSHARE_MOUNT | EXILE_UNSHARE_USER; result->disable_syscall_filter = 0; result->chdir_path = NULL; result->mount_path_policies_to_chroot = 0; @@ -881,14 +881,14 @@ struct qssb_policy *qssb_init_policy() return result; } -/* Appends path policies to the qssb_policy object +/* Appends path policies to the exile_policy object * The last paramater must be NULL * * This function does not copy parameters. All passed paths - * MUST NOT be freed until qssb_enable_policy() is called! + * MUST NOT be freed until exile_enable_policy() is called! * * @returns: 0 on success, -1 on failure */ -int qssb_append_path_policies(struct qssb_policy *qssb_policy, unsigned int path_policy, ...) +int exile_append_path_policies(struct exile_policy *exile_policy, unsigned int path_policy, ...) { va_list args; const char *path; @@ -897,18 +897,18 @@ int qssb_append_path_policies(struct qssb_policy *qssb_policy, unsigned int path path = va_arg(args, char*); while(path != NULL) { - struct qssb_path_policy *newpolicy = (struct qssb_path_policy *) calloc(1, sizeof(struct qssb_path_policy)); + struct exile_path_policy *newpolicy = (struct exile_path_policy *) calloc(1, sizeof(struct exile_path_policy)); if(newpolicy == NULL) { - QSSB_LOG_ERROR("Failed to allocate memory for path policy\n"); + EXILE_LOG_ERROR("Failed to allocate memory for path policy\n"); return -1; } newpolicy->path = path; newpolicy->policy = path_policy; newpolicy->next = NULL; - *(qssb_policy->path_policies_tail) = newpolicy; - qssb_policy->path_policies_tail = &(newpolicy->next); + *(exile_policy->path_policies_tail) = newpolicy; + exile_policy->path_policies_tail = &(newpolicy->next); path = va_arg(args, char*); } @@ -917,9 +917,9 @@ int qssb_append_path_policies(struct qssb_policy *qssb_policy, unsigned int path return 0; } -int qssb_append_path_policy(struct qssb_policy *qssb_policy, unsigned int path_policy, const char *path) +int exile_append_path_policy(struct exile_policy *exile_policy, unsigned int path_policy, const char *path) { - return qssb_append_path_policies(qssb_policy, path_policy, path, NULL); + return exile_append_path_policies(exile_policy, path_policy, path, NULL); } @@ -958,12 +958,12 @@ static int mkdir_structure(const char *p, mode_t mode) int res = snprintf(path, sizeof(path), "%s/", p); if(res < 0) { - QSSB_LOG_ERROR("qssb: mkdir_strucutre: error during path concatination\n"); + EXILE_LOG_ERROR("exile: mkdir_strucutre: error during path concatination\n"); return -EINVAL; } if(res >= PATH_MAX) { - QSSB_LOG_ERROR("qssb: mkdir_structure: path concatination truncated\n"); + EXILE_LOG_ERROR("exile: mkdir_structure: path concatination truncated\n"); return -EINVAL; } @@ -984,7 +984,7 @@ static int mkdir_structure(const char *p, mode_t mode) } else { - QSSB_LOG_ERROR("Failed to create directory for chroot: %s\n", begin); + EXILE_LOG_ERROR("Failed to create directory for chroot: %s\n", begin); return -1; } } @@ -1004,31 +1004,31 @@ static int mkdir_structure(const char *p, mode_t mode) } /* @returns: argument for mount(2) flags */ -static int get_policy_mount_flags(struct qssb_path_policy *policy) +static int get_policy_mount_flags(struct exile_path_policy *policy) { int result = 0; - if( (policy->policy & QSSB_FS_ALLOW_DEV) == 0) + if( (policy->policy & EXILE_FS_ALLOW_DEV) == 0) { result |= MS_NODEV; } - if( (policy->policy & QSSB_FS_ALLOW_EXEC) == 0) + if( (policy->policy & EXILE_FS_ALLOW_EXEC) == 0) { result |= MS_NOEXEC; } - if( (policy->policy & QSSB_FS_ALLOW_SETUID) == 0) + if( (policy->policy & EXILE_FS_ALLOW_SETUID) == 0) { result |= MS_NOSUID; } - if( (policy->policy & QSSB_FS_ALLOW_WRITE) == 0) + if( (policy->policy & EXILE_FS_ALLOW_WRITE) == 0) { result |= MS_RDONLY; } - if( (policy->policy & QSSB_MOUNT_NOT_REC) == 0) + if( (policy->policy & EXILE_MOUNT_NOT_REC) == 0) { result |= MS_REC; } @@ -1039,7 +1039,7 @@ static int get_policy_mount_flags(struct qssb_path_policy *policy) * Paths will be created if necessary * @returns: 0 on sucess, -ERRNO on failure */ -static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_policy *path_policy) +static int mount_to_chroot(const char *chroot_target_path, struct exile_path_policy *path_policy) { while(path_policy != NULL) { @@ -1048,18 +1048,18 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli int written = snprintf(path_inside_chroot, sizeof(path_inside_chroot), "%s/%s", chroot_target_path, path_policy->path); if(written < 0) { - QSSB_LOG_ERROR("qssb: mount_to_chroot: Error during path concatination\n"); + EXILE_LOG_ERROR("exile: mount_to_chroot: Error during path concatination\n"); return -EINVAL; } if(written >= PATH_MAX) { - QSSB_LOG_ERROR("qssb: mount_to_chroot: path concatination truncated\n"); + EXILE_LOG_ERROR("exile: mount_to_chroot: path concatination truncated\n"); return -EINVAL; } int ret = mkdir_structure(path_inside_chroot, 0700); if(ret < 0) { - QSSB_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno)); + EXILE_LOG_ERROR("Error creating directory structure while mounting paths to chroot. %s\n", strerror(errno)); return ret; } @@ -1069,12 +1069,12 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli mount_flags |= MS_BIND; - if(path_policy->policy & QSSB_FS_ALLOW_READ || path_policy->policy & QSSB_FS_ALLOW_WRITE) + if(path_policy->policy & EXILE_FS_ALLOW_READ || path_policy->policy & EXILE_FS_ALLOW_WRITE) { ret = mount(path_policy->path, path_inside_chroot, NULL, mount_flags, NULL); if(ret < 0 ) { - QSSB_LOG_ERROR("Error: Failed to mount %s to %s: %s\n", path_policy->path, path_inside_chroot, strerror(errno)); + EXILE_LOG_ERROR("Error: Failed to mount %s to %s: %s\n", path_policy->path, path_inside_chroot, strerror(errno)); return ret; } @@ -1082,7 +1082,7 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli ret = mount(NULL, path_inside_chroot, NULL, mount_flags | MS_REMOUNT, NULL); if(ret < 0 ) { - QSSB_LOG_ERROR("Error: Failed to remount %s: %s\n", path_inside_chroot, strerror(errno)); + EXILE_LOG_ERROR("Error: Failed to remount %s: %s\n", path_inside_chroot, strerror(errno)); return ret; } } @@ -1093,24 +1093,24 @@ static int mount_to_chroot(const char *chroot_target_path, struct qssb_path_poli } /* - * Frees the memory taken by a qssb_policy object + * Frees the memory taken by a exile_policy object */ -void qssb_free_policy(struct qssb_policy *ctxt) +void exile_free_policy(struct exile_policy *ctxt) { if(ctxt != NULL) { - struct qssb_path_policy *current = ctxt->path_policies; + struct exile_path_policy *current = ctxt->path_policies; while(current != NULL) { - struct qssb_path_policy *tmp = current; + struct exile_path_policy *tmp = current; current = current->next; free(tmp); } - struct qssb_syscall_policy *sc_policy = ctxt->syscall_policies; + struct exile_syscall_policy *sc_policy = ctxt->syscall_policies; while(sc_policy != NULL) { - struct qssb_syscall_policy *tmp = sc_policy; + struct exile_syscall_policy *tmp = sc_policy; sc_policy = sc_policy->next; free(tmp); } @@ -1121,12 +1121,12 @@ void qssb_free_policy(struct qssb_policy *ctxt) /* Enters the specified namespaces */ static int enter_namespaces(int namespace_options) { - if(namespace_options & QSSB_UNSHARE_USER) + if(namespace_options & EXILE_UNSHARE_USER) { int ret = unshare(CLONE_NEWUSER); if(ret == -1) { - QSSB_LOG_ERROR("Error: Failed to unshare user namespaces: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Error: Failed to unshare user namespaces: %s\n", strerror(errno)); return ret; } @@ -1136,12 +1136,12 @@ static int enter_namespaces(int namespace_options) FILE *fp = fopen("/proc/self/setgroups", "w"); if(fp == NULL) { - QSSB_LOG_ERROR("fopen failed while trying to deny setgroups\n"); + EXILE_LOG_ERROR("fopen failed while trying to deny setgroups\n"); return -1; } if(fprintf(fp, "deny") < 0) { - QSSB_LOG_ERROR("fprintf failed while trying to write uid_map\n"); + EXILE_LOG_ERROR("fprintf failed while trying to write uid_map\n"); return -1; } fclose(fp); @@ -1149,12 +1149,12 @@ static int enter_namespaces(int namespace_options) fp = fopen("/proc/self/uid_map", "w"); if(fp == NULL) { - QSSB_LOG_ERROR("fopen failed while trying to write uid_map\n"); + EXILE_LOG_ERROR("fopen failed while trying to write uid_map\n"); return -1; } if(fprintf(fp, "0 %i", current_uid) < 0) { - QSSB_LOG_ERROR("fprintf failed while trying to write uid_map\n"); + EXILE_LOG_ERROR("fprintf failed while trying to write uid_map\n"); return -1; } fclose(fp); @@ -1162,33 +1162,33 @@ static int enter_namespaces(int namespace_options) fp = fopen("/proc/self/gid_map", "w"); if(fp == NULL) { - QSSB_LOG_ERROR("fopen failed while trying to write gid_map\n"); + EXILE_LOG_ERROR("fopen failed while trying to write gid_map\n"); return -1; } if(fprintf(fp, "0 %i", current_gid) < 0) { - QSSB_LOG_ERROR("fprintf failed while trying to write gid_map\n"); + EXILE_LOG_ERROR("fprintf failed while trying to write gid_map\n"); return -1; } fclose(fp); } - if(namespace_options & QSSB_UNSHARE_MOUNT) + if(namespace_options & EXILE_UNSHARE_MOUNT) { int ret = unshare(CLONE_NEWNS); if(ret == -1) { - QSSB_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Error: Failed to unshare mount namespaces: %s\n", strerror(errno)); return ret; } } - if(namespace_options & QSSB_UNSHARE_NETWORK) + if(namespace_options & EXILE_UNSHARE_NETWORK) { int ret = unshare(CLONE_NEWNET); if(ret == -1) { - QSSB_LOG_ERROR("Error: Failed to unshare network namespace: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Error: Failed to unshare network namespace: %s\n", strerror(errno)); return ret; } } @@ -1211,7 +1211,7 @@ static int drop_caps() if(res == -1 && errno != EINVAL) { - QSSB_LOG_ERROR("Failed to drop the capability bounding set!\n"); + EXILE_LOG_ERROR("Failed to drop the capability bounding set!\n"); return -errno; } @@ -1228,7 +1228,7 @@ static int drop_caps() drop[1].inheritable = 0; if(capset(&h, drop) == -1) { - QSSB_LOG_ERROR("Failed to drop capabilities: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Failed to drop capabilities: %s\n", strerror(errno)); return -errno; } return 0; @@ -1238,22 +1238,22 @@ static int drop_caps() static void append_syscalls_to_bpf(long *syscalls, size_t n, unsigned int action, struct sock_filter *filter, unsigned short int *start_index) { - if(action == QSSB_SYSCALL_ALLOW) + if(action == EXILE_SYSCALL_ALLOW) { action = SECCOMP_RET_ALLOW; } - if(action == QSSB_SYSCALL_DENY_KILL_PROCESS) + if(action == EXILE_SYSCALL_DENY_KILL_PROCESS) { action = SECCOMP_RET_KILL_PROCESS; } - if(action == QSSB_SYSCALL_DENY_RET_ERROR) + if(action == EXILE_SYSCALL_DENY_RET_ERROR) { action = SECCOMP_RET_ERRNO|EACCES; } for(size_t i = 0; i < n; i++) { long syscall = syscalls[i]; - if(syscall != QSSB_SYSCALL_MATCH_ALL) + if(syscall != EXILE_SYSCALL_MATCH_ALL) { struct sock_filter syscall_check = BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (unsigned int) syscall, 0, 1); filter[(*start_index)++] = syscall_check; @@ -1266,12 +1266,12 @@ static void append_syscalls_to_bpf(long *syscalls, size_t n, unsigned int action /* * Enables the seccomp policy * - * policy: qssb policy object + * policy: exile policy object * * @returns: 0 on success, -1 on error */ -static int qssb_enable_syscall_policy(struct qssb_policy *policy) +static int exile_enable_syscall_policy(struct exile_policy *policy) { struct sock_filter filter[1024] = { @@ -1285,12 +1285,12 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy) unsigned short int current_filter_index = 6; - struct qssb_syscall_policy *current_policy = policy->syscall_policies; + struct exile_syscall_policy *current_policy = policy->syscall_policies; while(current_policy) { if(!is_valid_syscall_policy(current_policy->policy)) { - QSSB_LOG_ERROR("invalid syscall policy specified\n"); + EXILE_LOG_ERROR("invalid syscall policy specified\n"); return -1; } long *syscalls = NULL; @@ -1299,12 +1299,12 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy) unsigned short int newsize; if(__builtin_add_overflow(current_filter_index, n, &newsize)) { - QSSB_LOG_ERROR("Overflow when trying to add new system calls\n"); + EXILE_LOG_ERROR("Overflow when trying to add new system calls\n"); return -EINVAL; } if(newsize > (sizeof(filter)/sizeof(filter[0]))-1) { - QSSB_LOG_ERROR("Too many system calls added\n"); + EXILE_LOG_ERROR("Too many system calls added\n"); return -EINVAL; } append_syscalls_to_bpf(syscalls, n, current_policy->policy, filter, ¤t_filter_index); @@ -1318,7 +1318,7 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy) if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) { - QSSB_LOG_ERROR("prctl SET_SECCOMP %s\n", strerror(errno)); + EXILE_LOG_ERROR("prctl SET_SECCOMP %s\n", strerror(errno)); return -1; } @@ -1326,81 +1326,81 @@ static int qssb_enable_syscall_policy(struct qssb_policy *policy) } #if HAVE_LANDLOCK == 1 -static unsigned int qssb_flags_to_landlock(unsigned int flags) +static unsigned int exile_flags_to_landlock(unsigned int flags) { unsigned int result = 0; - if(flags & QSSB_FS_ALLOW_DEV) + if(flags & EXILE_FS_ALLOW_DEV) { result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK; result |= LANDLOCK_ACCESS_FS_MAKE_CHAR; } - if(flags & QSSB_FS_ALLOW_MAKE_BLOCK) + if(flags & EXILE_FS_ALLOW_MAKE_BLOCK) { result |= LANDLOCK_ACCESS_FS_MAKE_BLOCK; } - if(flags & QSSB_FS_ALLOW_MAKE_CHAR) + if(flags & EXILE_FS_ALLOW_MAKE_CHAR) { result |= LANDLOCK_ACCESS_FS_MAKE_CHAR; } - if(flags & QSSB_FS_ALLOW_MAKE_DIR) + if(flags & EXILE_FS_ALLOW_MAKE_DIR) { result |= LANDLOCK_ACCESS_FS_MAKE_DIR; } - if(flags & QSSB_FS_ALLOW_MAKE_FIFO) + if(flags & EXILE_FS_ALLOW_MAKE_FIFO) { result |= LANDLOCK_ACCESS_FS_MAKE_FIFO; } - if(flags & QSSB_FS_ALLOW_MAKE_REG) + if(flags & EXILE_FS_ALLOW_MAKE_REG) { result |= LANDLOCK_ACCESS_FS_MAKE_REG; } - if(flags & QSSB_FS_ALLOW_MAKE_SOCK) + if(flags & EXILE_FS_ALLOW_MAKE_SOCK) { result |= LANDLOCK_ACCESS_FS_MAKE_SOCK; } - if(flags & QSSB_FS_ALLOW_MAKE_SYM) + if(flags & EXILE_FS_ALLOW_MAKE_SYM) { result |= LANDLOCK_ACCESS_FS_MAKE_SYM; } - if(flags & QSSB_FS_ALLOW_READ) + if(flags & EXILE_FS_ALLOW_READ) { result |= LANDLOCK_ACCESS_FS_READ_FILE; result |= LANDLOCK_ACCESS_FS_READ_DIR; } - if(flags & QSSB_FS_ALLOW_REMOVE) + if(flags & EXILE_FS_ALLOW_REMOVE) { result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; result |= LANDLOCK_ACCESS_FS_REMOVE_FILE; } - if(flags & QSSB_FS_ALLOW_REMOVE_DIR) + if(flags & EXILE_FS_ALLOW_REMOVE_DIR) { result |= LANDLOCK_ACCESS_FS_REMOVE_DIR; } - if(flags & QSSB_FS_ALLOW_REMOVE_FILE) + if(flags & EXILE_FS_ALLOW_REMOVE_FILE) { result |= LANDLOCK_ACCESS_FS_REMOVE_FILE; } - if(flags & QSSB_FS_ALLOW_EXEC) + if(flags & EXILE_FS_ALLOW_EXEC) { result |= LANDLOCK_ACCESS_FS_EXECUTE; } - if(flags & QSSB_FS_ALLOW_WRITE) + if(flags & EXILE_FS_ALLOW_WRITE) { result |= LANDLOCK_ACCESS_FS_MAKE_REG; result |= LANDLOCK_ACCESS_FS_WRITE_FILE; } - if(flags & QSSB_FS_ALLOW_WRITE_FILE) + if(flags & EXILE_FS_ALLOW_WRITE_FILE) { result |= LANDLOCK_ACCESS_FS_WRITE_FILE; } - if(flags & QSSB_FS_ALLOW_READ_DIR) + if(flags & EXILE_FS_ALLOW_READ_DIR) { result |= LANDLOCK_ACCESS_FS_READ_DIR; } return result; } -static int landlock_prepare_ruleset(struct qssb_path_policy *policies) +static int landlock_prepare_ruleset(struct exile_path_policy *policies) { int ruleset_fd = -1; struct landlock_ruleset_attr ruleset_attr; @@ -1412,25 +1412,25 @@ static int landlock_prepare_ruleset(struct qssb_path_policy *policies) ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { - QSSB_LOG_ERROR("Failed to create landlock ruleset\n"); + EXILE_LOG_ERROR("Failed to create landlock ruleset\n"); return -1; } - struct qssb_path_policy *policy = policies; + struct exile_path_policy *policy = policies; while(policy != NULL) { struct landlock_path_beneath_attr path_beneath; path_beneath.parent_fd = open(policy->path, O_PATH | O_CLOEXEC); if(path_beneath.parent_fd < 0) { - QSSB_LOG_ERROR("Failed to open policy path %s while preparing landlock ruleset\n", policy->path); + EXILE_LOG_ERROR("Failed to open policy path %s while preparing landlock ruleset\n", policy->path); close(ruleset_fd); return path_beneath.parent_fd; } - path_beneath.allowed_access = qssb_flags_to_landlock(policy->policy); + path_beneath.allowed_access = exile_flags_to_landlock(policy->policy); int ret = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0); if(ret) { - QSSB_LOG_ERROR("Failed to update ruleset while processsing policy path %s\n", policy->path); + EXILE_LOG_ERROR("Failed to update ruleset while processsing policy path %s\n", policy->path); close(ruleset_fd); return ret; } @@ -1442,13 +1442,13 @@ static int landlock_prepare_ruleset(struct qssb_path_policy *policies) /* Checks for illogical or dangerous combinations */ -static int check_policy_sanity(struct qssb_policy *policy) +static int check_policy_sanity(struct exile_policy *policy) { if(policy->no_new_privs != 1) { if(policy->syscall_policies != NULL) { - QSSB_LOG_ERROR("no_new_privs = 1 is required for seccomp filtering!\n"); + EXILE_LOG_ERROR("no_new_privs = 1 is required for seccomp filtering!\n"); return -1; } } @@ -1459,12 +1459,12 @@ static int check_policy_sanity(struct qssb_policy *policy) { if(policy->path_policies == NULL) { - QSSB_LOG_ERROR("Cannot mount path policies to chroot if non are given\n"); + EXILE_LOG_ERROR("Cannot mount path policies to chroot if non are given\n"); return -1; } - if(!(policy->namespace_options & QSSB_UNSHARE_MOUNT)) + if(!(policy->namespace_options & EXILE_UNSHARE_MOUNT)) { - QSSB_LOG_ERROR("mount_path_policies_to_chroot = 1 requires unsharing mount namespace\n"); + EXILE_LOG_ERROR("mount_path_policies_to_chroot = 1 requires unsharing mount namespace\n"); return -1; } } @@ -1476,18 +1476,18 @@ static int check_policy_sanity(struct qssb_policy *policy) if(policy->mount_path_policies_to_chroot != 1) { #if HAVE_LANDLOCK != 1 - QSSB_LOG_ERROR("Path policies cannot be enforced! System needs landlock support or set mount_path_policies_to_chroot = 1\n"); + EXILE_LOG_ERROR("Path policies cannot be enforced! System needs landlock support or set mount_path_policies_to_chroot = 1\n"); return -1; #endif } if(policy->no_fs == 1) { - QSSB_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1\n"); + EXILE_LOG_ERROR("If path_policies are specified, no_fs cannot be set to 1\n"); return -1; } } - struct qssb_syscall_policy *syscall_policy = policy->syscall_policies; + struct exile_syscall_policy *syscall_policy = policy->syscall_policies; if(syscall_policy != NULL) { /* A few sanitiy checks... but we cannot check overall whether it's reasonable */ @@ -1500,7 +1500,7 @@ static int check_policy_sanity(struct qssb_policy *policy) long *syscall; size_t n = 0; get_syscall_array(syscall_policy, &syscall, &n); - if(syscall[n-1] == QSSB_SYSCALL_MATCH_ALL) + if(syscall[n-1] == EXILE_SYSCALL_MATCH_ALL) { last_match_all = i; match_all_policy = syscall_policy->policy; @@ -1514,13 +1514,13 @@ static int check_policy_sanity(struct qssb_policy *policy) } if(last_match_all == -1 || i - last_match_all != 1) { - QSSB_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n"); + EXILE_LOG_ERROR("The last entry in the syscall policy list must match all syscalls (default rule)\n"); return -1; } /* Most likely a mistake and not intended */ if(last_policy == match_all_policy) { - QSSB_LOG_ERROR("Last policy for a syscall matches default policy\n"); + EXILE_LOG_ERROR("Last policy for a syscall matches default policy\n"); return -1; } } @@ -1546,44 +1546,44 @@ static void close_file_fds() * * @returns: 0 on success, < 0 on error */ -static int enable_no_fs(struct qssb_policy *policy) +static int enable_no_fs(struct exile_policy *policy) { close_file_fds(); if(chdir("/proc/self/fdinfo") != 0) { - QSSB_LOG_ERROR("Failed to change to safe directory: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Failed to change to safe directory: %s\n", strerror(errno)); return -1; } if(chroot(".") != 0) { - QSSB_LOG_ERROR("Failed to chroot into safe directory: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Failed to chroot into safe directory: %s\n", strerror(errno)); return -1; } if(chdir("/") != 0) { - QSSB_LOG_ERROR("Failed to chdir into safe directory inside chroot: %s\n", strerror(errno)); + EXILE_LOG_ERROR("Failed to chdir into safe directory inside chroot: %s\n", strerror(errno)); return -1; } //TODO: we don't have to do this if there whitelisted policies, in that case we will be behind the default deny anyway - int ret = qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_FS); + int ret = exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_FS); if(ret != 0) { - QSSB_LOG_ERROR("Failed to add system calls to policy\n"); + EXILE_LOG_ERROR("Failed to add system calls to policy\n"); return -1; } - if(qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW) != 0) + if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW) != 0) { - QSSB_LOG_ERROR("Failed to add default policy when adding denied filesystem-related system calls\n"); + EXILE_LOG_ERROR("Failed to add default policy when adding denied filesystem-related system calls\n"); return -1; } return 0; } -/* Enables the specified qssb_policy. +/* Enables the specified exile_policy. * * This function is not atomic (and can't be). This means some * policies can apply, while others may fail. @@ -1595,17 +1595,17 @@ static int enable_no_fs(struct qssb_policy *policy) * * @returns: 0 on success (all policies applied), < 0 on error (none or some policies dit not apply) */ -int qssb_enable_policy(struct qssb_policy *policy) +int exile_enable_policy(struct exile_policy *policy) { if(check_policy_sanity(policy) != 0) { - QSSB_LOG_ERROR("Error: Policy sanity check failed. Cannot apply policy!\n"); + EXILE_LOG_ERROR("Error: Policy sanity check failed. Cannot apply policy!\n"); return -EINVAL; } if(enter_namespaces(policy->namespace_options) < 0) { - QSSB_LOG_ERROR("Error while trying to enter namespaces\n"); + EXILE_LOG_ERROR("Error while trying to enter namespaces\n"); return -1; } @@ -1616,28 +1616,28 @@ int qssb_enable_policy(struct qssb_policy *policy) char random_str[17]; if(random_string(random_str, sizeof(random_str)) == 16) { - int res = snprintf(policy->chroot_target_path, sizeof(policy->chroot_target_path), "%s/.sandbox_%" PRIdMAX "_%s", QSSB_TEMP_DIR, (intmax_t)getpid(), random_str); + int res = snprintf(policy->chroot_target_path, sizeof(policy->chroot_target_path), "%s/.sandbox_%" PRIdMAX "_%s", EXILE_TEMP_DIR, (intmax_t)getpid(), random_str); if(res < 0) { - QSSB_LOG_ERROR("qssb: qssb_enable_policy: error during path concatination\n"); + EXILE_LOG_ERROR("exile: exile_enable_policy: error during path concatination\n"); return -EINVAL; } if(res >= PATH_MAX) { - QSSB_LOG_ERROR("qssb: qssb_enable_policy: path concatination truncated\n"); + EXILE_LOG_ERROR("exile: exile_enable_policy: path concatination truncated\n"); return -EINVAL; } } else { - QSSB_LOG_ERROR("Error creating random sandbox directory name\n"); + EXILE_LOG_ERROR("Error creating random sandbox directory name\n"); return -1; } } if(mount_to_chroot(policy->chroot_target_path, policy->path_policies) < 0) { - QSSB_LOG_ERROR("mount_to_chroot: bind mounting of path policies failed\n"); + EXILE_LOG_ERROR("mount_to_chroot: bind mounting of path policies failed\n"); return -1; } } @@ -1646,7 +1646,7 @@ int qssb_enable_policy(struct qssb_policy *policy) { if(chroot(policy->chroot_target_path) < 0) { - QSSB_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path); + EXILE_LOG_ERROR("chroot: failed to enter %s\n", policy->chroot_target_path); return -1; } } @@ -1658,7 +1658,7 @@ int qssb_enable_policy(struct qssb_policy *policy) landlock_ruleset_fd = landlock_prepare_ruleset(policy->path_policies); if(landlock_ruleset_fd < 0) { - QSSB_LOG_ERROR("landlock_prepare_ruleset: Failed to prepare landlock ruleset: %s\n", strerror(errno)); + EXILE_LOG_ERROR("landlock_prepare_ruleset: Failed to prepare landlock ruleset: %s\n", strerror(errno)); return -1; } } @@ -1670,7 +1670,7 @@ int qssb_enable_policy(struct qssb_policy *policy) if(policy->chdir_path != NULL && chdir(policy->chdir_path) < 0) { - QSSB_LOG_ERROR("chdir to %s failed\n", policy->chdir_path); + EXILE_LOG_ERROR("chdir to %s failed\n", policy->chdir_path); return -1; } @@ -1678,7 +1678,7 @@ int qssb_enable_policy(struct qssb_policy *policy) { if(enable_no_fs(policy) != 0) { - QSSB_LOG_ERROR("Failed to take away filesystem access of process\n"); + EXILE_LOG_ERROR("Failed to take away filesystem access of process\n"); return -1; } } @@ -1688,7 +1688,7 @@ int qssb_enable_policy(struct qssb_policy *policy) const struct rlimit nofile = {0, 0}; if (setrlimit(RLIMIT_NOFILE, &nofile) == -1) { - QSSB_LOG_ERROR("setrlimit: Failed to set rlimit: %s\n", strerror(errno)); + EXILE_LOG_ERROR("setrlimit: Failed to set rlimit: %s\n", strerror(errno)); return -1; } } @@ -1697,7 +1697,7 @@ int qssb_enable_policy(struct qssb_policy *policy) { if(drop_caps() < 0) { - QSSB_LOG_ERROR("failed to drop capabilities\n"); + EXILE_LOG_ERROR("failed to drop capabilities\n"); return -1; } } @@ -1706,7 +1706,7 @@ int qssb_enable_policy(struct qssb_policy *policy) { if(prctl(PR_SET_DUMPABLE, 0) == -1) { - QSSB_LOG_ERROR("prctl: PR_SET_DUMPABLE failed\n"); + EXILE_LOG_ERROR("prctl: PR_SET_DUMPABLE failed\n"); return -1; } } @@ -1715,7 +1715,7 @@ int qssb_enable_policy(struct qssb_policy *policy) { if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { - QSSB_LOG_ERROR("prctl: PR_SET_NO_NEW_PRIVS failed: %s\n", strerror(errno)); + EXILE_LOG_ERROR("prctl: PR_SET_NO_NEW_PRIVS failed: %s\n", strerror(errno)); return -1; } } @@ -1732,7 +1732,7 @@ int qssb_enable_policy(struct qssb_policy *policy) if(policy->syscall_policies != NULL) { - return qssb_enable_syscall_policy(policy); + return exile_enable_syscall_policy(policy); } return 0; diff --git a/gengroup.py b/gengroup.py index ee37b1f..a2dbf65 100755 --- a/gengroup.py +++ b/gengroup.py @@ -47,7 +47,7 @@ for line in lines: if genifndef: ifndef[currentsyscall] = genifndef.groups(1)[0] - array_line = "{QSSB_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups)) + array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups)) print(array_line) print_ifndefs() diff --git a/grouping_x86-64.txt b/grouping_x86-64.txt index e27add5..3eeec24 100644 --- a/grouping_x86-64.txt +++ b/grouping_x86-64.txt @@ -1,363 +1,363 @@ # Assign system calls to groups. In the future, may also include simple arg filtering. -read QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -write QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -open QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -close QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -stat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -lstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -poll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -lseek QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -mmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -mprotect QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -munmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -brk QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigaction QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigprocmask QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigreturn QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -ioctl QSSB_SYSCGROUP_IOCTL,QSSB_SYSCGROUP_DEFAULT_ALLOW -pread64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -pwrite64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -readv QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -writev QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -access QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -pipe QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -select QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -sched_yield QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW -mremap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -msync QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -mincore QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -madvise QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -shmget QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -shmat QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -shmctl QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -dup QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -dup2 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -pause QSSB_SYSCGROUP_PAUSE,QSSB_SYSCGROUP_DEFAULT_ALLOW -nanosleep QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW -getitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW -alarm QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW -setitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW -getpid QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -sendfile QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -socket QSSB_SYSCGROUP_SOCKET -connect QSSB_SYSCGROUP_SOCKET -accept QSSB_SYSCGROUP_SOCKET -sendto QSSB_SYSCGROUP_SOCKET -recvfrom QSSB_SYSCGROUP_SOCKET -sendmsg QSSB_SYSCGROUP_SOCKET -recvmsg QSSB_SYSCGROUP_SOCKET -shutdown QSSB_SYSCGROUP_SOCKET -bind QSSB_SYSCGROUP_SOCKET -listen QSSB_SYSCGROUP_SOCKET -getsockname QSSB_SYSCGROUP_SOCKET -getpeername QSSB_SYSCGROUP_SOCKET -socketpair QSSB_SYSCGROUP_SOCKET,QSSB_SYSCGROUP_IPC -setsockopt QSSB_SYSCGROUP_SOCKET -getsockopt QSSB_SYSCGROUP_SOCKET -clone QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW -fork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW -vfork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW -execve QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_EXEC -exit QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_DEFAULT_ALLOW -wait4 QSSB_SYSCGROUP_EXEC -kill QSSB_SYSCGROUP_KILL -uname QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW -semget QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -semop QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -semctl QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -shmdt QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -msgget QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -msgsnd QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -msgrcv QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -msgctl QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW -fcntl QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -flock QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -fsync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -fdatasync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -truncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -ftruncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -getdents QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -getcwd QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -chdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fchdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -rename QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -mkdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -rmdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -creat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -link QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -unlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -symlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -readlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -chmod QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fchmod QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -chown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -lchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -umask QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW -gettimeofday QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW -getrlimit QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW -getrusage QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW -sysinfo QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW -times QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW -ptrace QSSB_SYSCGROUP_PTRACE,QSSB_SYSCGROUP_DEFAULT_ALLOW -getuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -syslog QSSB_SYSCGROUP_SYS -getgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setuid QSSB_SYSCGROUP_ID -setgid QSSB_SYSCGROUP_ID -geteuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -getegid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setpgid QSSB_SYSCGROUP_ID -getppid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -getpgrp QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setsid QSSB_SYSCGROUP_ID -setreuid QSSB_SYSCGROUP_ID -setregid QSSB_SYSCGROUP_ID -getgroups QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setgroups QSSB_SYSCGROUP_ID -setresuid QSSB_SYSCGROUP_ID -getresuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setresgid QSSB_SYSCGROUP_ID -getresgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -getpgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -setfsuid QSSB_SYSCGROUP_ID -setfsgid QSSB_SYSCGROUP_ID -getsid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -capget QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW -capset QSSB_SYSCGROUP_ID -rt_sigpending QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigtimedwait QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigqueueinfo QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -rt_sigsuspend QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW -sigaltstack QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL -utime QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_FS -mknod QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_FS -uselib QSSB_SYSCGROUP_LIB,QSSB_SYSCGROUP_DEFAULT_ALLOW -personality QSSB_SYSCGROUP_PROCESS -ustat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS -statfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS -fstatfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS -sysfs QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_FS -getpriority QSSB_SYSCGROUP_SCHED -setpriority QSSB_SYSCGROUP_SCHED -sched_setparam QSSB_SYSCGROUP_SCHED -sched_getparam QSSB_SYSCGROUP_SCHED -sched_setscheduler QSSB_SYSCGROUP_SCHED -sched_getscheduler QSSB_SYSCGROUP_SCHED -sched_get_priority_max QSSB_SYSCGROUP_SCHED -sched_get_priority_min QSSB_SYSCGROUP_SCHED -sched_rr_get_interval QSSB_SYSCGROUP_SCHED -mlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -munlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -mlockall QSSB_SYSCGROUP_MEMORY -munlockall QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -vhangup QSSB_SYSCGROUP_TTY -modify_ldt QSSB_SYSCGROUP_PROCESS -pivot_root QSSB_SYSCGROUP_CHROOT -_sysctl QSSB_SYSCGROUP_SYS -prctl QSSB_SYSCGROUP_PROCESS -arch_prctl QSSB_SYSCGROUP_PROCESS -adjtimex QSSB_SYSCGROUP_CLOCK -setrlimit QSSB_SYSCGROUP_RES -chroot QSSB_SYSCGROUP_CHROOT,QSSB_SYSCGROUP_FS -sync QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -acct QSSB_SYSCGROUP_PROCESS -settimeofday QSSB_SYSCGROUP_TIME -mount QSSB_SYSCGROUP_MOUNT,QSSB_SYSCGROUP_FS -umount2 QSSB_SYSCGROUP_UMOUNT,QSSB_SYSCGROUP_FS -swapon QSSB_SYSCGROUP_SWAP -swapoff QSSB_SYSCGROUP_SWAP -reboot QSSB_SYSCGROUP_POWER -sethostname QSSB_SYSCGROUP_HOST -setdomainname QSSB_SYSCGROUP_HOST -iopl QSSB_SYSCGROUP_IOPL -ioperm QSSB_SYSCGROUP_IOPL -create_module QSSB_SYSCGROUP_KMOD -init_module QSSB_SYSCGROUP_KMOD -delete_module QSSB_SYSCGROUP_KMOD -get_kernel_syms QSSB_SYSCGROUP_KMOD -query_module QSSB_SYSCGROUP_KMOD -quotactl QSSB_SYSCGROUP_QUOTA -nfsservctl QSSB_SYSCGROUP_NONE -getpmsg QSSB_SYSCGROUP_UNIMPLEMENTED -putpmsg QSSB_SYSCGROUP_UNIMPLEMENTED -afs_syscall QSSB_SYSCGROUP_UNIMPLEMENTED -tuxcall QSSB_SYSCGROUP_UNIMPLEMENTED -security QSSB_SYSCGROUP_UNIMPLEMENTED -gettid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_THREAD -readahead QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS -setxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -lsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -fsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -getxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -lgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -listxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -llistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -flistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -removexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -lremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -fremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS -tkill QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL -time QSSB_SYSCGROUP_TIME -futex QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_FUTEX -sched_setaffinity QSSB_SYSCGROUP_SCHED -sched_getaffinity QSSB_SYSCGROUP_SCHED -set_thread_area QSSB_SYSCGROUP_THREAD -io_setup QSSB_SYSCGROUP_IO -io_destroy QSSB_SYSCGROUP_IO -io_getevents QSSB_SYSCGROUP_IO -io_submit QSSB_SYSCGROUP_IO -io_cancel QSSB_SYSCGROUP_IO -get_thread_area QSSB_SYSCGROUP_THREAD -lookup_dcookie QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS -epoll_create QSSB_SYSCGROUP_STDIO -epoll_ctl_old QSSB_SYSCGROUP_STDIO -epoll_wait_old QSSB_SYSCGROUP_STDIO -remap_file_pages QSSB_SYSCGROUP_NONE -getdents64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS -set_tid_address QSSB_SYSCGROUP_THREAD -restart_syscall QSSB_SYSCGROUP_SYSCALL -semtimedop QSSB_SYSCGROUP_SEM -fadvise64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD -timer_create QSSB_SYSCGROUP_TIMER -timer_settime QSSB_SYSCGROUP_TIMER -timer_gettime QSSB_SYSCGROUP_TIMER -timer_getoverrun QSSB_SYSCGROUP_TIMER -timer_delete QSSB_SYSCGROUP_TIMER -clock_settime QSSB_SYSCGROUP_TIME -clock_gettime QSSB_SYSCGROUP_TIME -clock_getres QSSB_SYSCGROUP_TIME -clock_nanosleep QSSB_SYSCGROUP_TIME -exit_group QSSB_SYSCGROUP_EXIT,QSSB_SYSCGROUP_DEFAULT_ALLOW -epoll_wait QSSB_SYSCGROUP_FD -epoll_ctl QSSB_SYSCGROUP_FD -tgkill QSSB_SYSCGROUP_SIGNAL,QSSB_SYSCGROUP_THREAD -utimes QSSB_SYSCGROUP_PATH -vserver QSSB_SYSCGROUP_UNIMPLEMENTED -mbind QSSB_SYSCGROUP_MEMORY -set_mempolicy QSSB_SYSCGROUP_MEMORY -get_mempolicy QSSB_SYSCGROUP_MEMORY -mq_open QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -mq_unlink QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -mq_timedsend QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -mq_timedreceive QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -mq_notify QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -mq_getsetattr QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC -kexec_load QSSB_SYSCGROUP_KEXEC -waitid QSSB_SYSCGROUP_SIGNAL -add_key QSSB_SYSCGROUP_KEYS -request_key QSSB_SYSCGROUP_KEYS -keyctl QSSB_SYSCGROUP_KEYS -ioprio_set QSSB_SYSCGROUP_PRIO -ioprio_get QSSB_SYSCGROUP_PRIO -inotify_init QSSB_SYSCGROUP_INOTIFY -inotify_add_watch QSSB_SYSCGROUP_INOTIFY -inotify_rm_watch QSSB_SYSCGROUP_INOTIFY -migrate_pages QSSB_SYSCGROUP_PROCESS -openat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -mkdirat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -mknodat QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fchownat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -futimesat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -newfstatat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -unlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -renameat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -linkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -symlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -readlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -fchmodat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -faccessat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -pselect6 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -ppoll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS -unshare QSSB_SYSCGROUP_NS,QSSB_SYSCGROUP_FS -set_robust_list QSSB_SYSCGROUP_FUTEX -get_robust_list QSSB_SYSCGROUP_FUTEX -splice QSSB_SYSCGROUP_FD -tee QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -sync_file_range QSSB_SYSCGROUP_FD -vmsplice QSSB_SYSCGROUP_FD -move_pages QSSB_SYSCGROUP_PROCESS -utimensat QSSB_SYSCGROUP_PATH -epoll_pwait QSSB_SYSCGROUP_STDIO -signalfd QSSB_SYSCGROUP_SIGNAL -timerfd_create QSSB_SYSCGROUP_TIMER -eventfd QSSB_SYSCGROUP_FD -fallocate QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD -timerfd_settime QSSB_SYSCGROUP_TIMER -timerfd_gettime QSSB_SYSCGROUP_TIMER -accept4 QSSB_SYSCGROUP_SOCKET -signalfd4 QSSB_SYSCGROUP_FD -eventfd2 QSSB_SYSCGROUP_FD -epoll_create1 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW -dup3 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -pipe2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -inotify_init1 QSSB_SYSCGROUP_INOTIFY -preadv QSSB_SYSCGROUP_STDIO -pwritev QSSB_SYSCGROUP_STDIO -rt_tgsigqueueinfo QSSB_SYSCGROUP_RT -perf_event_open QSSB_SYSCGROUP_PERF -recvmmsg QSSB_SYSCGROUP_SOCKET -fanotify_init QSSB_SYSCGROUP_FANOTIFY -fanotify_mark QSSB_SYSCGROUP_FANOTIFY -prlimit64 QSSB_SYSCGROUP_RES -name_to_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS -open_by_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS -clock_adjtime QSSB_SYSCGROUP_CLOCK -syncfs QSSB_SYSCGROUP_FD -sendmmsg QSSB_SYSCGROUP_SOCKET -setns QSSB_SYSCGROUP_NS -getcpu QSSB_SYSCGROUP_SCHED +read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW +pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW +mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW +nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW +getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW +alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW +setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW +getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +socket EXILE_SYSCGROUP_SOCKET +connect EXILE_SYSCGROUP_SOCKET +accept EXILE_SYSCGROUP_SOCKET +sendto EXILE_SYSCGROUP_SOCKET +recvfrom EXILE_SYSCGROUP_SOCKET +sendmsg EXILE_SYSCGROUP_SOCKET +recvmsg EXILE_SYSCGROUP_SOCKET +shutdown EXILE_SYSCGROUP_SOCKET +bind EXILE_SYSCGROUP_SOCKET +listen EXILE_SYSCGROUP_SOCKET +getsockname EXILE_SYSCGROUP_SOCKET +getpeername EXILE_SYSCGROUP_SOCKET +socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC +setsockopt EXILE_SYSCGROUP_SOCKET +getsockopt EXILE_SYSCGROUP_SOCKET +clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW +fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW +vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW +execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC +exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW +wait4 EXILE_SYSCGROUP_EXEC +kill EXILE_SYSCGROUP_KILL +uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW +semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW +fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW +gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW +getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW +getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW +sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW +times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW +ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW +getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +syslog EXILE_SYSCGROUP_SYS +getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setuid EXILE_SYSCGROUP_ID +setgid EXILE_SYSCGROUP_ID +geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setpgid EXILE_SYSCGROUP_ID +getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setsid EXILE_SYSCGROUP_ID +setreuid EXILE_SYSCGROUP_ID +setregid EXILE_SYSCGROUP_ID +getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setgroups EXILE_SYSCGROUP_ID +setresuid EXILE_SYSCGROUP_ID +getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setresgid EXILE_SYSCGROUP_ID +getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +setfsuid EXILE_SYSCGROUP_ID +setfsgid EXILE_SYSCGROUP_ID +getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW +capset EXILE_SYSCGROUP_ID +rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW +sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL +utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS +mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS +uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW +personality EXILE_SYSCGROUP_PROCESS +ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS +statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS +fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS +sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS +getpriority EXILE_SYSCGROUP_SCHED +setpriority EXILE_SYSCGROUP_SCHED +sched_setparam EXILE_SYSCGROUP_SCHED +sched_getparam EXILE_SYSCGROUP_SCHED +sched_setscheduler EXILE_SYSCGROUP_SCHED +sched_getscheduler EXILE_SYSCGROUP_SCHED +sched_get_priority_max EXILE_SYSCGROUP_SCHED +sched_get_priority_min EXILE_SYSCGROUP_SCHED +sched_rr_get_interval EXILE_SYSCGROUP_SCHED +mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +mlockall EXILE_SYSCGROUP_MEMORY +munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +vhangup EXILE_SYSCGROUP_TTY +modify_ldt EXILE_SYSCGROUP_PROCESS +pivot_root EXILE_SYSCGROUP_CHROOT +_sysctl EXILE_SYSCGROUP_SYS +prctl EXILE_SYSCGROUP_PROCESS +arch_prctl EXILE_SYSCGROUP_PROCESS +adjtimex EXILE_SYSCGROUP_CLOCK +setrlimit EXILE_SYSCGROUP_RES +chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS +sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +acct EXILE_SYSCGROUP_PROCESS +settimeofday EXILE_SYSCGROUP_TIME +mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS +umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS +swapon EXILE_SYSCGROUP_SWAP +swapoff EXILE_SYSCGROUP_SWAP +reboot EXILE_SYSCGROUP_POWER +sethostname EXILE_SYSCGROUP_HOST +setdomainname EXILE_SYSCGROUP_HOST +iopl EXILE_SYSCGROUP_IOPL +ioperm EXILE_SYSCGROUP_IOPL +create_module EXILE_SYSCGROUP_KMOD +init_module EXILE_SYSCGROUP_KMOD +delete_module EXILE_SYSCGROUP_KMOD +get_kernel_syms EXILE_SYSCGROUP_KMOD +query_module EXILE_SYSCGROUP_KMOD +quotactl EXILE_SYSCGROUP_QUOTA +nfsservctl EXILE_SYSCGROUP_NONE +getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED +putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED +afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED +tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED +security EXILE_SYSCGROUP_UNIMPLEMENTED +gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD +readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS +setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS +tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL +time EXILE_SYSCGROUP_TIME +futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX +sched_setaffinity EXILE_SYSCGROUP_SCHED +sched_getaffinity EXILE_SYSCGROUP_SCHED +set_thread_area EXILE_SYSCGROUP_THREAD +io_setup EXILE_SYSCGROUP_IO +io_destroy EXILE_SYSCGROUP_IO +io_getevents EXILE_SYSCGROUP_IO +io_submit EXILE_SYSCGROUP_IO +io_cancel EXILE_SYSCGROUP_IO +get_thread_area EXILE_SYSCGROUP_THREAD +lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS +epoll_create EXILE_SYSCGROUP_STDIO +epoll_ctl_old EXILE_SYSCGROUP_STDIO +epoll_wait_old EXILE_SYSCGROUP_STDIO +remap_file_pages EXILE_SYSCGROUP_NONE +getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS +set_tid_address EXILE_SYSCGROUP_THREAD +restart_syscall EXILE_SYSCGROUP_SYSCALL +semtimedop EXILE_SYSCGROUP_SEM +fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD +timer_create EXILE_SYSCGROUP_TIMER +timer_settime EXILE_SYSCGROUP_TIMER +timer_gettime EXILE_SYSCGROUP_TIMER +timer_getoverrun EXILE_SYSCGROUP_TIMER +timer_delete EXILE_SYSCGROUP_TIMER +clock_settime EXILE_SYSCGROUP_TIME +clock_gettime EXILE_SYSCGROUP_TIME +clock_getres EXILE_SYSCGROUP_TIME +clock_nanosleep EXILE_SYSCGROUP_TIME +exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW +epoll_wait EXILE_SYSCGROUP_FD +epoll_ctl EXILE_SYSCGROUP_FD +tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD +utimes EXILE_SYSCGROUP_PATH +vserver EXILE_SYSCGROUP_UNIMPLEMENTED +mbind EXILE_SYSCGROUP_MEMORY +set_mempolicy EXILE_SYSCGROUP_MEMORY +get_mempolicy EXILE_SYSCGROUP_MEMORY +mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC +kexec_load EXILE_SYSCGROUP_KEXEC +waitid EXILE_SYSCGROUP_SIGNAL +add_key EXILE_SYSCGROUP_KEYS +request_key EXILE_SYSCGROUP_KEYS +keyctl EXILE_SYSCGROUP_KEYS +ioprio_set EXILE_SYSCGROUP_PRIO +ioprio_get EXILE_SYSCGROUP_PRIO +inotify_init EXILE_SYSCGROUP_INOTIFY +inotify_add_watch EXILE_SYSCGROUP_INOTIFY +inotify_rm_watch EXILE_SYSCGROUP_INOTIFY +migrate_pages EXILE_SYSCGROUP_PROCESS +openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS +unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS +set_robust_list EXILE_SYSCGROUP_FUTEX +get_robust_list EXILE_SYSCGROUP_FUTEX +splice EXILE_SYSCGROUP_FD +tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +sync_file_range EXILE_SYSCGROUP_FD +vmsplice EXILE_SYSCGROUP_FD +move_pages EXILE_SYSCGROUP_PROCESS +utimensat EXILE_SYSCGROUP_PATH +epoll_pwait EXILE_SYSCGROUP_STDIO +signalfd EXILE_SYSCGROUP_SIGNAL +timerfd_create EXILE_SYSCGROUP_TIMER +eventfd EXILE_SYSCGROUP_FD +fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD +timerfd_settime EXILE_SYSCGROUP_TIMER +timerfd_gettime EXILE_SYSCGROUP_TIMER +accept4 EXILE_SYSCGROUP_SOCKET +signalfd4 EXILE_SYSCGROUP_FD +eventfd2 EXILE_SYSCGROUP_FD +epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW +dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +inotify_init1 EXILE_SYSCGROUP_INOTIFY +preadv EXILE_SYSCGROUP_STDIO +pwritev EXILE_SYSCGROUP_STDIO +rt_tgsigqueueinfo EXILE_SYSCGROUP_RT +perf_event_open EXILE_SYSCGROUP_PERF +recvmmsg EXILE_SYSCGROUP_SOCKET +fanotify_init EXILE_SYSCGROUP_FANOTIFY +fanotify_mark EXILE_SYSCGROUP_FANOTIFY +prlimit64 EXILE_SYSCGROUP_RES +name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS +open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS +clock_adjtime EXILE_SYSCGROUP_CLOCK +syncfs EXILE_SYSCGROUP_FD +sendmmsg EXILE_SYSCGROUP_SOCKET +setns EXILE_SYSCGROUP_NS +getcpu EXILE_SYSCGROUP_SCHED #maybe IPC, but feels wrong -process_vm_readv QSSB_SYSCGROUP_NONE -process_vm_writev QSSB_SYSCGROUP_NONE -kcmp QSSB_SYSCGROUP_NONE -finit_module QSSB_SYSCGROUP_KMOD -sched_setattr QSSB_SYSCGROUP_SCHED -sched_getattr QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW -renameat2 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW -seccomp QSSB_SYSCGROUP_NONE -getrandom QSSB_SYSCGROUP_DEFAULT_ALLOW -memfd_create QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW -kexec_file_load QSSB_SYSCGROUP_KEXEC -bpf QSSB_SYSCGROUP_NONE -execveat QSSB_SYSCGROUP_EXEC -userfaultfd QSSB_SYSCGROUP_NONE -membarrier QSSB_SYSCGROUP_NONE -mlock2 QSSB_SYSCGROUP_MEMORY -copy_file_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW -preadv2 QSSB_SYSCGROUP_STDIO -pwritev2 QSSB_SYSCGROUP_STDIO +process_vm_readv EXILE_SYSCGROUP_NONE +process_vm_writev EXILE_SYSCGROUP_NONE +kcmp EXILE_SYSCGROUP_NONE +finit_module EXILE_SYSCGROUP_KMOD +sched_setattr EXILE_SYSCGROUP_SCHED +sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW +renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW +seccomp EXILE_SYSCGROUP_NONE +getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW +memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW +kexec_file_load EXILE_SYSCGROUP_KEXEC +bpf EXILE_SYSCGROUP_NONE +execveat EXILE_SYSCGROUP_EXEC +userfaultfd EXILE_SYSCGROUP_NONE +membarrier EXILE_SYSCGROUP_NONE +mlock2 EXILE_SYSCGROUP_MEMORY +copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW +preadv2 EXILE_SYSCGROUP_STDIO +pwritev2 EXILE_SYSCGROUP_STDIO #Those are newer than 5.10, wrap them in ifndef so we can compile on old systems -pkey_mprotect QSSB_SYSCGROUP_PKEY genifndef(329) -pkey_alloc QSSB_SYSCGROUP_PKEY genifndef(330) -pkey_free QSSB_SYSCGROUP_PKEY genifndef(331) -statx QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(332) -io_pgetevents QSSB_SYSCGROUP_NONE genifndef(333) -rseq QSSB_SYSCGROUP_THREAD genifndef(334) -pidfd_send_signal QSSB_SYSCGROUP_PIDFD genifndef(424) -io_uring_setup QSSB_SYSCGROUP_IOURING genifndef(425) -io_uring_enter QSSB_SYSCGROUP_IOURING genifndef(426) -io_uring_register QSSB_SYSCGROUP_IOURING genifndef(427) -open_tree QSSB_SYSCGROUP_NEWMOUNT genifndef(428) -move_mount QSSB_SYSCGROUP_NEWMOUNT genifndef(429) -fsopen QSSB_SYSCGROUP_NEWMOUNT genifndef(430) -fsconfig QSSB_SYSCGROUP_NEWMOUNT genifndef(431) -fsmount QSSB_SYSCGROUP_NEWMOUNT genifndef(432) -fspick QSSB_SYSCGROUP_NEWMOUNT genifndef(433) -pidfd_open QSSB_SYSCGROUP_PIDFD genifndef(434) -clone3 QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(435) -close_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(436) -openat2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(437) -pidfd_getfd QSSB_SYSCGROUP_PIDFD genifndef(438) -faccessat2 QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(439) -process_madvise QSSB_SYSCGROUP_MEMORY genifndef(440) -epoll_pwait2 QSSB_SYSCGROUP_STDIO genifndef(441) -mount_setattr QSSB_SYSCGROUP_NONE genifndef(442) -quotactl_fd QSSB_SYSCGROUP_QUOTA genifndef(443) -landlock_create_ruleset QSSB_SYSCGROUP_LANDLOCK genifndef(444) -landlock_add_rule QSSB_SYSCGROUP_LANDLOCK genifndef(445) -landlock_restrict_self QSSB_SYSCGROUP_LANDLOCK genifndef(446) -memfd_secret QSSB_SYSCGROUP_NONE genifndef(447) -process_mrelease QSSB_SYSCGROUP_NONE genifndef(448) +pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329) +pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330) +pkey_free EXILE_SYSCGROUP_PKEY genifndef(331) +statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332) +io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333) +rseq EXILE_SYSCGROUP_THREAD genifndef(334) +pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424) +io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425) +io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426) +io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427) +open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428) +move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429) +fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430) +fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431) +fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432) +fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433) +pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434) +clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435) +close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436) +openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437) +pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438) +faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439) +process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440) +epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441) +mount_setattr EXILE_SYSCGROUP_NONE genifndef(442) +quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443) +landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444) +landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445) +landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446) +memfd_secret EXILE_SYSCGROUP_NONE genifndef(447) +process_mrelease EXILE_SYSCGROUP_NONE genifndef(448) diff --git a/test.c b/test.c index 4f2f1ef..00dabde 100644 --- a/test.c +++ b/test.c @@ -1,4 +1,4 @@ -#include "qssb.h" +#include "exile.h" #include #include #include @@ -6,12 +6,12 @@ #include #include -int xqssb_enable_policy(struct qssb_policy *policy) +int xexile_enable_policy(struct exile_policy *policy) { - int ret = qssb_enable_policy(policy); + int ret = exile_enable_policy(policy); if(ret != 0) { - fprintf(stderr, "qssb_enable_policy() failed: %i\n", ret); + fprintf(stderr, "exile_enable_policy() failed: %i\n", ret); exit(EXIT_FAILURE); } return 0; @@ -19,8 +19,8 @@ int xqssb_enable_policy(struct qssb_policy *policy) int test_default_main() { - struct qssb_policy *policy = qssb_init_policy(); - return xqssb_enable_policy(policy); + struct exile_policy *policy = exile_init_policy(); + return xexile_enable_policy(policy); } static int test_expected_kill(int (*f)()) @@ -86,11 +86,11 @@ static int test_successful_exit(int (*f)()) static int do_test_seccomp_blacklisted() { - struct qssb_policy *policy = qssb_init_policy(); - qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid)); - qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW); + struct exile_policy *policy = exile_init_policy(); + exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid)); + exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW); - xqssb_enable_policy(policy); + xexile_enable_policy(policy); uid_t pid = geteuid(); pid = getuid(); @@ -106,12 +106,12 @@ int test_seccomp_blacklisted() static int do_test_seccomp_blacklisted_call_permitted() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); - qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid)); - qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW); + exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid)); + exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW); - xqssb_enable_policy(policy); + xexile_enable_policy(policy); //geteuid is not blacklisted, so must succeed uid_t pid = geteuid(); return 0; @@ -125,15 +125,15 @@ int test_seccomp_blacklisted_call_permitted() static int do_test_seccomp_x32_kill() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); - qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid)); - qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW); + exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid)); + exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW); - xqssb_enable_policy(policy); + xexile_enable_policy(policy); /* Attempt to bypass by falling back to x32 should be blocked */ - syscall(QSSB_SYS(getuid)+__X32_SYSCALL_BIT); + syscall(EXILE_SYS(getuid)+__X32_SYSCALL_BIT); return 0; } @@ -146,11 +146,11 @@ int test_seccomp_x32_kill() /* Tests whether seccomp rules end with a policy matching all syscalls */ int test_seccomp_require_last_matchall() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); - qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid)); + exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_KILL_PROCESS, EXILE_SYS(getuid)); - int status = qssb_enable_policy(policy); + int status = exile_enable_policy(policy); if(status == 0) { printf("Failed. Should not have been enabled!"); @@ -161,12 +161,12 @@ int test_seccomp_require_last_matchall() static int do_test_seccomp_errno() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); - qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYS(close)); - qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW); + exile_append_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYS(close)); + exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW); - xqssb_enable_policy(policy); + xexile_enable_policy(policy); uid_t id = getuid(); int fd = close(0); @@ -183,12 +183,12 @@ int test_seccomp_errno() static int test_seccomp_group() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); - qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_SOCKET); - qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW); + exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET); + exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW); - xqssb_enable_policy(policy); + xexile_enable_policy(policy); int s = socket(AF_INET,SOCK_STREAM,0); if(s != -1) @@ -202,9 +202,9 @@ static int test_seccomp_group() #if HAVE_LANDLOCK == 1 int test_landlock() { - struct qssb_policy *policy = qssb_init_policy(); - qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd"); - xqssb_enable_policy(policy); + struct exile_policy *policy = exile_init_policy(); + exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/proc/self/fd"); + xexile_enable_policy(policy); int fd = open("/", O_RDONLY | O_CLOEXEC); if(fd < 0) @@ -216,9 +216,9 @@ int test_landlock() int test_landlock_deny_write() { - struct qssb_policy *policy = qssb_init_policy(); - qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/"); - xqssb_enable_policy(policy); + struct exile_policy *policy = exile_init_policy(); + exile_append_path_policy(policy, EXILE_FS_ALLOW_READ, "/tmp/"); + xexile_enable_policy(policy); int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC); if(fd < 0) @@ -241,9 +241,9 @@ int test_landlock_deny_write() int test_nofs() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); policy->no_fs = 1; - xqssb_enable_policy(policy); + xexile_enable_policy(policy); int s = socket(AF_INET,SOCK_STREAM,0); if(s == -1) @@ -265,9 +265,9 @@ int test_nofs() int test_no_new_fds() { - struct qssb_policy *policy = qssb_init_policy(); + struct exile_policy *policy = exile_init_policy(); policy->no_new_fds = 1; - xqssb_enable_policy(policy); + xexile_enable_policy(policy); if(open("/tmp/test", O_CREAT | O_WRONLY) >= 0) { diff --git a/test.sh b/test.sh index d1e76da..d1600b7 100755 --- a/test.sh +++ b/test.sh @@ -74,7 +74,7 @@ if [ -z "$LOG_OUTPUT_DIR" ] ; then LOG_OUTPUT_DIR="./logs/" fi -LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/qssb_test_${GIT_ID}_${TIMESTAMP}" +LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/exile_test_${GIT_ID}_${TIMESTAMP}" [ -d "$LOG_OUTPUT_DIR_PATH" ] || mkdir -p "$LOG_OUTPUT_DIR_PATH" for test in $( ./test --dumptests ) ; do