From 7115ef8b4d4a4f4586b1cf31e58e3a2a4f444f47 Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Sun, 5 Dec 2021 17:28:58 +0100
Subject: [PATCH] Begin an pledge()-like implementation

This begins a pledge() implementation. This also
retires the previous syscall grouping approach,
as pledge() is the superior mechanism.

Squashed:
test: Begin basic pledge test
pledge: Begin EXILE_SYSCALL_PLEDGE_UNIX/EXILE_SYSCALL_PLEDGE_INET
test: Add pledge socket test
Introduce EXILE_SYSCALL_PLEDGE_DENY_ERROR, remove exile_policy->pledge_policy
pledge: Add PROT_EXEC
---
 exile.h             | 941 ++++++++++++++++++++++----------------------
 gengroup.py         |  55 ---
 grouping_x86-64.txt | 363 -----------------
 test.c              |  98 +++--
 4 files changed, 536 insertions(+), 921 deletions(-)
 delete mode 100755 gengroup.py
 delete mode 100644 grouping_x86-64.txt

diff --git a/exile.h b/exile.h
index d89247b..868798e 100644
--- a/exile.h
+++ b/exile.h
@@ -31,6 +31,8 @@
 #include <sys/random.h>
 #include <sys/time.h>
 #include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
@@ -70,6 +72,9 @@
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (nr), 0, 1), jt
 
 
+#define EXILE_BPF_NOP \
+	BPF_STMT(BPF_JMP+BPF_JA,0)
+
 #define EXILE_UNSHARE_NETWORK 1<<1
 #define EXILE_UNSHARE_USER 1<<2
 #define EXILE_UNSHARE_MOUNT 1<<3
@@ -234,438 +239,12 @@ static inline int landlock_restrict_self(const int ruleset_fd,
 #endif
 #endif
 
-#define EXILE_SYSCGROUP_CHROOT ((uint64_t)1<<0)
-#define EXILE_SYSCGROUP_CLOCK ((uint64_t)1<<1)
-#define EXILE_SYSCGROUP_CLONE ((uint64_t)1<<2)
-#define EXILE_SYSCGROUP_DEFAULT_ALLOW ((uint64_t)1<<3)
-#define EXILE_SYSCGROUP_DEV ((uint64_t)1<<4)
-#define EXILE_SYSCGROUP_EXEC ((uint64_t)1<<5)
-#define EXILE_SYSCGROUP_EXIT ((uint64_t)1<<6)
-#define EXILE_SYSCGROUP_FANOTIFY ((uint64_t)1<<7)
-#define EXILE_SYSCGROUP_FD ((uint64_t)1<<8)
-#define EXILE_SYSCGROUP_FS ((uint64_t)1<<9)
-#define EXILE_SYSCGROUP_FUTEX ((uint64_t)1<<10)
-#define EXILE_SYSCGROUP_HOST ((uint64_t)1<<11)
-#define EXILE_SYSCGROUP_ID ((uint64_t)1<<12)
-#define EXILE_SYSCGROUP_INOTIFY ((uint64_t)1<<13)
-#define EXILE_SYSCGROUP_IO ((uint64_t)1<<14)
-#define EXILE_SYSCGROUP_IOCTL ((uint64_t)1<<15)
-#define EXILE_SYSCGROUP_IOPL ((uint64_t)1<<16)
-#define EXILE_SYSCGROUP_IOURING ((uint64_t)1<<17)
-#define EXILE_SYSCGROUP_IPC ((uint64_t)1<<18)
-#define EXILE_SYSCGROUP_KEXEC ((uint64_t)1<<19)
-#define EXILE_SYSCGROUP_KEYS ((uint64_t)1<<20)
-#define EXILE_SYSCGROUP_KILL ((uint64_t)1<<21)
-#define EXILE_SYSCGROUP_KMOD ((uint64_t)1<<22)
-#define EXILE_SYSCGROUP_LANDLOCK ((uint64_t)1<<23)
-#define EXILE_SYSCGROUP_LIB ((uint64_t)1<<24)
-#define EXILE_SYSCGROUP_MEMORY ((uint64_t)1<<25)
-#define EXILE_SYSCGROUP_MOUNT ((uint64_t)1<<26)
-#define EXILE_SYSCGROUP_MQ ((uint64_t)1<<27)
-#define EXILE_SYSCGROUP_NEWMOUNT ((uint64_t)1<<28)
-#define EXILE_SYSCGROUP_NONE ((uint64_t)1<<29)
-#define EXILE_SYSCGROUP_NS ((uint64_t)1<<30)
-#define EXILE_SYSCGROUP_PATH ((uint64_t)1<<31)
-#define EXILE_SYSCGROUP_PAUSE ((uint64_t)1<<32)
-#define EXILE_SYSCGROUP_PERF ((uint64_t)1<<33)
-#define EXILE_SYSCGROUP_PERMS ((uint64_t)1<<34)
-#define EXILE_SYSCGROUP_PIDFD ((uint64_t)1<<35)
-#define EXILE_SYSCGROUP_PKEY ((uint64_t)1<<36)
-#define EXILE_SYSCGROUP_POWER ((uint64_t)1<<37)
-#define EXILE_SYSCGROUP_PRIO ((uint64_t)1<<38)
-#define EXILE_SYSCGROUP_PROCESS ((uint64_t)1<<39)
-#define EXILE_SYSCGROUP_PTRACE ((uint64_t)1<<40)
-#define EXILE_SYSCGROUP_QUOTA ((uint64_t)1<<41)
-#define EXILE_SYSCGROUP_RES ((uint64_t)1<<42)
-#define EXILE_SYSCGROUP_RT ((uint64_t)1<<43)
-#define EXILE_SYSCGROUP_SCHED ((uint64_t)1<<44)
-#define EXILE_SYSCGROUP_SEM ((uint64_t)1<<45)
-#define EXILE_SYSCGROUP_SHM ((uint64_t)1<<46)
-#define EXILE_SYSCGROUP_SIGNAL ((uint64_t)1<<47)
-#define EXILE_SYSCGROUP_SOCKET ((uint64_t)1<<48)
-#define EXILE_SYSCGROUP_STAT ((uint64_t)1<<49)
-#define EXILE_SYSCGROUP_STDIO ((uint64_t)1<<50)
-#define EXILE_SYSCGROUP_SWAP ((uint64_t)1<<51)
-#define EXILE_SYSCGROUP_SYS ((uint64_t)1<<52)
-#define EXILE_SYSCGROUP_SYSCALL ((uint64_t)1<<53)
-#define EXILE_SYSCGROUP_THREAD ((uint64_t)1<<54)
-#define EXILE_SYSCGROUP_TIME ((uint64_t)1<<55)
-#define EXILE_SYSCGROUP_TIMER ((uint64_t)1<<56)
-#define EXILE_SYSCGROUP_TTY ((uint64_t)1<<57)
-#define EXILE_SYSCGROUP_UMOUNT ((uint64_t)1<<58)
-#define EXILE_SYSCGROUP_UNIMPLEMENTED ((uint64_t)1<<59)
-#define EXILE_SYSCGROUP_XATTR ((uint64_t)1<<60)
-
-struct syscall_group_map
+struct syscall_pledge_map
 {
 	long syscall;
-	uint64_t groupmask;
+	uint64_t pledgemask;
 };
 
-struct syscall_group_map sc_group_map[] = {
-{EXILE_SYS(read), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(write), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(open), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(close), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(stat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fstat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(lstat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(poll), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(lseek), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(mmap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(mprotect), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(munmap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(brk), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigaction), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigprocmask), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigreturn), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(ioctl), EXILE_SYSCGROUP_IOCTL|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(pread64), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(pwrite64), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(readv), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(writev), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(access), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(pipe), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(select), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(sched_yield), EXILE_SYSCGROUP_SCHED|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(mremap), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(msync), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(mincore), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(madvise), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(shmget), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(shmat), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(shmctl), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(dup), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(dup2), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(pause), EXILE_SYSCGROUP_PAUSE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(nanosleep), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getitimer), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(alarm), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setitimer), EXILE_SYSCGROUP_TIMER|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getpid), EXILE_SYSCGROUP_PROCESS|EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(sendfile), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(socket), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(connect), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(accept), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(sendto), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(recvfrom), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(sendmsg), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(recvmsg), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(shutdown), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(bind), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(listen), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(getsockname), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(getpeername), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(socketpair), EXILE_SYSCGROUP_SOCKET|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(setsockopt), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(getsockopt), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(clone), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(fork), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(vfork), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(execve), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_EXEC},
-{EXILE_SYS(exit), EXILE_SYSCGROUP_PROCESS|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(wait4), EXILE_SYSCGROUP_EXEC},
-{EXILE_SYS(kill), EXILE_SYSCGROUP_KILL},
-{EXILE_SYS(uname), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(semget), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(semop), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(semctl), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(shmdt), EXILE_SYSCGROUP_SHM|EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(msgget), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(msgsnd), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(msgrcv), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(msgctl), EXILE_SYSCGROUP_IPC|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(fcntl), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(flock), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(fsync), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(fdatasync), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(truncate), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(ftruncate), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(getdents), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(getcwd), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(chdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fchdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(rename), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(mkdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(rmdir), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(creat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(link), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(unlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(symlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(readlink), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(chmod), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fchmod), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(chown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fchown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(lchown), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(umask), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(gettimeofday), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getrlimit), EXILE_SYSCGROUP_RES|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getrusage), EXILE_SYSCGROUP_RES|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(sysinfo), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(times), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(ptrace), EXILE_SYSCGROUP_PTRACE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(syslog), EXILE_SYSCGROUP_SYS},
-{EXILE_SYS(getgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setuid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(setgid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(geteuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getegid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setpgid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(getppid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getpgrp), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setsid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(setreuid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(setregid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(getgroups), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setgroups), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(setresuid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(getresuid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setresgid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(getresgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(getpgid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(setfsuid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(setfsgid), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(getsid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(capget), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(capset), EXILE_SYSCGROUP_ID},
-{EXILE_SYS(rt_sigpending), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigtimedwait), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigqueueinfo), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(rt_sigsuspend), EXILE_SYSCGROUP_RT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(sigaltstack), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_SIGNAL},
-{EXILE_SYS(utime), EXILE_SYSCGROUP_TIME|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(mknod), EXILE_SYSCGROUP_DEV|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(uselib), EXILE_SYSCGROUP_LIB|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(personality), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(ustat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(statfs), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fstatfs), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(sysfs), EXILE_SYSCGROUP_SYS|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(getpriority), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(setpriority), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_setparam), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_getparam), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_setscheduler), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_getscheduler), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_get_priority_max), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_get_priority_min), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_rr_get_interval), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(mlock), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(munlock), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(mlockall), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(munlockall), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(vhangup), EXILE_SYSCGROUP_TTY},
-{EXILE_SYS(modify_ldt), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(pivot_root), EXILE_SYSCGROUP_CHROOT},
-{EXILE_SYS(_sysctl), EXILE_SYSCGROUP_SYS},
-{EXILE_SYS(prctl), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(arch_prctl), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(adjtimex), EXILE_SYSCGROUP_CLOCK},
-{EXILE_SYS(setrlimit), EXILE_SYSCGROUP_RES},
-{EXILE_SYS(chroot), EXILE_SYSCGROUP_CHROOT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(sync), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(acct), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(settimeofday), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(mount), EXILE_SYSCGROUP_MOUNT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(umount2), EXILE_SYSCGROUP_UMOUNT|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(swapon), EXILE_SYSCGROUP_SWAP},
-{EXILE_SYS(swapoff), EXILE_SYSCGROUP_SWAP},
-{EXILE_SYS(reboot), EXILE_SYSCGROUP_POWER},
-{EXILE_SYS(sethostname), EXILE_SYSCGROUP_HOST},
-{EXILE_SYS(setdomainname), EXILE_SYSCGROUP_HOST},
-{EXILE_SYS(iopl), EXILE_SYSCGROUP_IOPL},
-{EXILE_SYS(ioperm), EXILE_SYSCGROUP_IOPL},
-{EXILE_SYS(create_module), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(init_module), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(delete_module), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(get_kernel_syms), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(query_module), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(quotactl), EXILE_SYSCGROUP_QUOTA},
-{EXILE_SYS(nfsservctl), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(getpmsg), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(putpmsg), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(afs_syscall), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(tuxcall), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(security), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(gettid), EXILE_SYSCGROUP_ID|EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(readahead), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(setxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(lsetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fsetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(getxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(lgetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fgetxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(listxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(llistxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(flistxattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(removexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(lremovexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fremovexattr), EXILE_SYSCGROUP_XATTR|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(tkill), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_SIGNAL},
-{EXILE_SYS(time), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(futex), EXILE_SYSCGROUP_THREAD|EXILE_SYSCGROUP_FUTEX},
-{EXILE_SYS(sched_setaffinity), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_getaffinity), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(set_thread_area), EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(io_setup), EXILE_SYSCGROUP_IO},
-{EXILE_SYS(io_destroy), EXILE_SYSCGROUP_IO},
-{EXILE_SYS(io_getevents), EXILE_SYSCGROUP_IO},
-{EXILE_SYS(io_submit), EXILE_SYSCGROUP_IO},
-{EXILE_SYS(io_cancel), EXILE_SYSCGROUP_IO},
-{EXILE_SYS(get_thread_area), EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(lookup_dcookie), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(epoll_create), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(epoll_ctl_old), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(epoll_wait_old), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(remap_file_pages), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(getdents64), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(set_tid_address), EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(restart_syscall), EXILE_SYSCGROUP_SYSCALL},
-{EXILE_SYS(semtimedop), EXILE_SYSCGROUP_SEM},
-{EXILE_SYS(fadvise64), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FD},
-{EXILE_SYS(timer_create), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(timer_settime), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(timer_gettime), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(timer_getoverrun), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(timer_delete), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(clock_settime), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(clock_gettime), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(clock_getres), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(clock_nanosleep), EXILE_SYSCGROUP_TIME},
-{EXILE_SYS(exit_group), EXILE_SYSCGROUP_EXIT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(epoll_wait), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(epoll_ctl), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(tgkill), EXILE_SYSCGROUP_SIGNAL|EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(utimes), EXILE_SYSCGROUP_PATH},
-{EXILE_SYS(vserver), EXILE_SYSCGROUP_UNIMPLEMENTED},
-{EXILE_SYS(mbind), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(set_mempolicy), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(get_mempolicy), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(mq_open), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(mq_unlink), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(mq_timedsend), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(mq_timedreceive), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(mq_notify), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(mq_getsetattr), EXILE_SYSCGROUP_MQ|EXILE_SYSCGROUP_IPC},
-{EXILE_SYS(kexec_load), EXILE_SYSCGROUP_KEXEC},
-{EXILE_SYS(waitid), EXILE_SYSCGROUP_SIGNAL},
-{EXILE_SYS(add_key), EXILE_SYSCGROUP_KEYS},
-{EXILE_SYS(request_key), EXILE_SYSCGROUP_KEYS},
-{EXILE_SYS(keyctl), EXILE_SYSCGROUP_KEYS},
-{EXILE_SYS(ioprio_set), EXILE_SYSCGROUP_PRIO},
-{EXILE_SYS(ioprio_get), EXILE_SYSCGROUP_PRIO},
-{EXILE_SYS(inotify_init), EXILE_SYSCGROUP_INOTIFY},
-{EXILE_SYS(inotify_add_watch), EXILE_SYSCGROUP_INOTIFY},
-{EXILE_SYS(inotify_rm_watch), EXILE_SYSCGROUP_INOTIFY},
-{EXILE_SYS(migrate_pages), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(openat), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(mkdirat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(mknodat), EXILE_SYSCGROUP_DEV|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fchownat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(futimesat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(newfstatat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(unlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(renameat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(linkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(symlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(readlinkat), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(fchmodat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(faccessat), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(pselect6), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(ppoll), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(unshare), EXILE_SYSCGROUP_NS|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(set_robust_list), EXILE_SYSCGROUP_FUTEX},
-{EXILE_SYS(get_robust_list), EXILE_SYSCGROUP_FUTEX},
-{EXILE_SYS(splice), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(tee), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(sync_file_range), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(vmsplice), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(move_pages), EXILE_SYSCGROUP_PROCESS},
-{EXILE_SYS(utimensat), EXILE_SYSCGROUP_PATH},
-{EXILE_SYS(epoll_pwait), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(signalfd), EXILE_SYSCGROUP_SIGNAL},
-{EXILE_SYS(timerfd_create), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(eventfd), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(fallocate), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_FD},
-{EXILE_SYS(timerfd_settime), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(timerfd_gettime), EXILE_SYSCGROUP_TIMER},
-{EXILE_SYS(accept4), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(signalfd4), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(eventfd2), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(epoll_create1), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(dup3), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(pipe2), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(inotify_init1), EXILE_SYSCGROUP_INOTIFY},
-{EXILE_SYS(preadv), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(pwritev), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(rt_tgsigqueueinfo), EXILE_SYSCGROUP_RT},
-{EXILE_SYS(perf_event_open), EXILE_SYSCGROUP_PERF},
-{EXILE_SYS(recvmmsg), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(fanotify_init), EXILE_SYSCGROUP_FANOTIFY},
-{EXILE_SYS(fanotify_mark), EXILE_SYSCGROUP_FANOTIFY},
-{EXILE_SYS(prlimit64), EXILE_SYSCGROUP_RES},
-{EXILE_SYS(name_to_handle_at), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(open_by_handle_at), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_FS},
-{EXILE_SYS(clock_adjtime), EXILE_SYSCGROUP_CLOCK},
-{EXILE_SYS(syncfs), EXILE_SYSCGROUP_FD},
-{EXILE_SYS(sendmmsg), EXILE_SYSCGROUP_SOCKET},
-{EXILE_SYS(setns), EXILE_SYSCGROUP_NS},
-{EXILE_SYS(getcpu), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(process_vm_readv), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(process_vm_writev), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(kcmp), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(finit_module), EXILE_SYSCGROUP_KMOD},
-{EXILE_SYS(sched_setattr), EXILE_SYSCGROUP_SCHED},
-{EXILE_SYS(sched_getattr), EXILE_SYSCGROUP_SCHED|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(renameat2), EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(seccomp), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(getrandom), EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(memfd_create), EXILE_SYSCGROUP_MEMORY|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(kexec_file_load), EXILE_SYSCGROUP_KEXEC},
-{EXILE_SYS(bpf), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(execveat), EXILE_SYSCGROUP_EXEC},
-{EXILE_SYS(userfaultfd), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(membarrier), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(mlock2), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(copy_file_range), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(preadv2), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(pwritev2), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(pkey_mprotect), EXILE_SYSCGROUP_PKEY},
-{EXILE_SYS(pkey_alloc), EXILE_SYSCGROUP_PKEY},
-{EXILE_SYS(pkey_free), EXILE_SYSCGROUP_PKEY},
-{EXILE_SYS(statx), EXILE_SYSCGROUP_STAT|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(io_pgetevents), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(rseq), EXILE_SYSCGROUP_THREAD},
-{EXILE_SYS(pidfd_send_signal), EXILE_SYSCGROUP_PIDFD},
-{EXILE_SYS(io_uring_setup), EXILE_SYSCGROUP_IOURING},
-{EXILE_SYS(io_uring_enter), EXILE_SYSCGROUP_IOURING},
-{EXILE_SYS(io_uring_register), EXILE_SYSCGROUP_IOURING},
-{EXILE_SYS(open_tree), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(move_mount), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(fsopen), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(fsconfig), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(fsmount), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(fspick), EXILE_SYSCGROUP_NEWMOUNT},
-{EXILE_SYS(pidfd_open), EXILE_SYSCGROUP_PIDFD},
-{EXILE_SYS(clone3), EXILE_SYSCGROUP_CLONE|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(close_range), EXILE_SYSCGROUP_STDIO|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(openat2), EXILE_SYSCGROUP_FD|EXILE_SYSCGROUP_PATH|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(pidfd_getfd), EXILE_SYSCGROUP_PIDFD},
-{EXILE_SYS(faccessat2), EXILE_SYSCGROUP_PERMS|EXILE_SYSCGROUP_DEFAULT_ALLOW},
-{EXILE_SYS(process_madvise), EXILE_SYSCGROUP_MEMORY},
-{EXILE_SYS(epoll_pwait2), EXILE_SYSCGROUP_STDIO},
-{EXILE_SYS(mount_setattr), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(quotactl_fd), EXILE_SYSCGROUP_QUOTA},
-{EXILE_SYS(landlock_create_ruleset), EXILE_SYSCGROUP_LANDLOCK},
-{EXILE_SYS(landlock_add_rule), EXILE_SYSCGROUP_LANDLOCK},
-{EXILE_SYS(landlock_restrict_self), EXILE_SYSCGROUP_LANDLOCK},
-{EXILE_SYS(memfd_secret), EXILE_SYSCGROUP_NONE},
-{EXILE_SYS(process_mrelease), EXILE_SYSCGROUP_NONE}
-};
-
-
 struct exile_path_policy
 {
 	const char *path;
@@ -675,12 +254,37 @@ struct exile_path_policy
 
 /* Special values */
 #define EXILE_SYSCALL_MATCH_ALL -1
-#define EXILE_SYSCALL_EXIT_BPF_NO_MATCH 255 //exit the bpf filter, not matching policy
+/* exit the bpf filter, not matching policy. Go to the next syscall (or the default action, if none left to check) */
+#define EXILE_SYSCALL_EXIT_BPF_NO_MATCH 255
+/* exit the bpf filter, go directly to the action for the syscall (skip all other args checks) */
+#define EXILE_SYSCALL_EXIT_BPF_RETURN 254
 
 #define EXILE_SYSCALL_ALLOW 1
 #define EXILE_SYSCALL_DENY_KILL_PROCESS 2
 #define EXILE_SYSCALL_DENY_RET_ERROR 3
 
+/* Pledge definitions */
+#define EXILE_SYSCALL_PLEDGE_CHOWN ((uint64_t)1<<1)
+#define EXILE_SYSCALL_PLEDGE_CLONE ((uint64_t)1<<2)
+#define EXILE_SYSCALL_PLEDGE_CPATH ((uint64_t)1<<3)
+#define EXILE_SYSCALL_PLEDGE_DPATH ((uint64_t)1<<4)
+#define EXILE_SYSCALL_PLEDGE_EXEC ((uint64_t)1<<5)
+#define EXILE_SYSCALL_PLEDGE_FATTR ((uint64_t)1<<6)
+#define EXILE_SYSCALL_PLEDGE_FSNOTIFY ((uint64_t)1<<7)
+#define EXILE_SYSCALL_PLEDGE_ID ((uint64_t)1<<8)
+#define EXILE_SYSCALL_PLEDGE_INET ((uint64_t)1<<9)
+#define EXILE_SYSCALL_PLEDGE_PROC ((uint64_t)1<<10)
+#define EXILE_SYSCALL_PLEDGE_PROT_EXEC ((uint64_t)1<<11)
+#define EXILE_SYSCALL_PLEDGE_RPATH ((uint64_t)1<<12)
+#define EXILE_SYSCALL_PLEDGE_SCHED ((uint64_t)1<<13)
+#define EXILE_SYSCALL_PLEDGE_SHM ((uint64_t)1<<14)
+#define EXILE_SYSCALL_PLEDGE_STDIO ((uint64_t)1<<15)
+#define EXILE_SYSCALL_PLEDGE_UNIX ((uint64_t)1<<16)
+#define EXILE_SYSCALL_PLEDGE_WPATH ((uint64_t)1<<17)
+
+#define EXILE_SYSCALL_PLEDGE_DENY_ERROR ((uint64_t)1<<63)
+
+
 #define EXILE_ARGFILTERS_COUNT 60
 struct exile_syscall_policy
 {
@@ -708,6 +312,8 @@ struct exile_policy
 	char chroot_target_path[PATH_MAX];
 	const char *chdir_path;
 
+	uint64_t pledge_promises;
+
 	/* Do not manually add policies here, use exile_append_path_polic*() */
 	struct exile_path_policy *path_policies;
 	struct exile_path_policy **path_policies_tail;
@@ -718,6 +324,272 @@ struct exile_policy
 
 };
 
+
+static struct syscall_pledge_map exile_pledge_map[] =
+{
+	{EXILE_SYS(read), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(write), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(open), EXILE_SYSCALL_PLEDGE_RPATH|EXILE_SYSCALL_PLEDGE_WPATH},
+	{EXILE_SYS(close), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(stat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(fstat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(lstat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(poll), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(lseek), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mmap), EXILE_SYSCALL_PLEDGE_STDIO|EXILE_SYSCALL_PLEDGE_PROT_EXEC},
+	{EXILE_SYS(mprotect), EXILE_SYSCALL_PLEDGE_STDIO|EXILE_SYSCALL_PLEDGE_PROT_EXEC},
+	{EXILE_SYS(munmap), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(brk), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigaction), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigprocmask), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigreturn), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(ioctl), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(pread64), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(pwrite64), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(readv), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(writev), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(access), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(pipe), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(select), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sched_yield), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mremap), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(msync), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mincore), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(madvise), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(shmget), EXILE_SYSCALL_PLEDGE_SHM},
+	{EXILE_SYS(shmat), EXILE_SYSCALL_PLEDGE_SHM},
+	{EXILE_SYS(shmctl), EXILE_SYSCALL_PLEDGE_SHM},
+	{EXILE_SYS(dup), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(dup2), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(pause), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(nanosleep), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getitimer), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(alarm), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setitimer), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getpid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sendfile), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(socket), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(connect), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(accept), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(sendto), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(recvfrom), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sendmsg), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(recvmsg), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(shutdown), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(bind), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(listen), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(getsockname), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(getpeername), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(socketpair), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setsockopt), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(getsockopt), EXILE_SYSCALL_PLEDGE_INET|EXILE_SYSCALL_PLEDGE_UNIX},
+	{EXILE_SYS(clone), EXILE_SYSCALL_PLEDGE_CLONE},
+	{EXILE_SYS(fork), EXILE_SYSCALL_PLEDGE_CLONE},
+	{EXILE_SYS(vfork), EXILE_SYSCALL_PLEDGE_CLONE},
+	{EXILE_SYS(execve), EXILE_SYSCALL_PLEDGE_EXEC},
+	{EXILE_SYS(exit), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(wait4), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(kill), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(uname), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(semget), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(semop), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(semctl), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(shmdt), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(msgget), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(msgsnd), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(msgrcv), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(msgctl), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fcntl), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(flock), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fsync), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fdatasync), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(truncate), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(ftruncate), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getdents), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(getcwd), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(chdir), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(fchdir), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(rename), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(mkdir), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(rmdir), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(creat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(link), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(unlink), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(symlink), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(readlink), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(chmod), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(fchmod), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(chown), EXILE_SYSCALL_PLEDGE_CHOWN},
+	{EXILE_SYS(fchown), EXILE_SYSCALL_PLEDGE_CHOWN},
+	{EXILE_SYS(lchown), EXILE_SYSCALL_PLEDGE_CHOWN},
+	{EXILE_SYS(umask), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(gettimeofday), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getrlimit), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getrusage), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sysinfo), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(times), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getuid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getgid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setuid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(setgid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(geteuid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getegid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setpgid), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(getppid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getpgrp), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setsid), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(setreuid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(setregid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(getgroups), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setgroups), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(setresuid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(getresuid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setresgid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(getresgid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getpgid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setfsuid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(setfsgid), EXILE_SYSCALL_PLEDGE_ID},
+	{EXILE_SYS(getsid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(capget), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigpending), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigtimedwait), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigqueueinfo), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(rt_sigsuspend), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(utime), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(mknod), EXILE_SYSCALL_PLEDGE_DPATH},
+	{EXILE_SYS(uselib), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(ustat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(statfs), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(fstatfs), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(getpriority), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setpriority), EXILE_SYSCALL_PLEDGE_SCHED|EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(sched_setparam), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_getparam), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_setscheduler), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_getscheduler), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_get_priority_max), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_get_priority_min), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_rr_get_interval), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(mlock), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(munlock), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mlockall), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(munlockall), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(vhangup), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(setrlimit), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(sync), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(gettid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(readahead), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(setxattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(lsetxattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(fsetxattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(getxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(lgetxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(fgetxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(listxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(llistxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(flistxattr), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(removexattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(lremovexattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(fremovexattr), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(tkill), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(time), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sched_getaffinity), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(set_thread_area), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(get_thread_area), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(lookup_dcookie), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_create), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_ctl_old), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_wait_old), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(remap_file_pages), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getdents64), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(set_tid_address), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(semtimedop), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fadvise64), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timer_create), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timer_settime), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timer_gettime), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timer_getoverrun), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timer_delete), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(clock_gettime), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(clock_getres), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(clock_nanosleep), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(exit_group), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_wait), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_ctl), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(tgkill), EXILE_SYSCALL_PLEDGE_PROC},
+	{EXILE_SYS(utimes), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(mbind), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(get_mempolicy), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_open), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_unlink), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_timedsend), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_timedreceive), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_notify), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(mq_getsetattr), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(waitid), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(inotify_init), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(inotify_add_watch), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(inotify_rm_watch), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(openat), EXILE_SYSCALL_PLEDGE_RPATH|EXILE_SYSCALL_PLEDGE_WPATH},
+	{EXILE_SYS(mkdirat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(mknodat), EXILE_SYSCALL_PLEDGE_DPATH},
+	{EXILE_SYS(fchownat), EXILE_SYSCALL_PLEDGE_CHOWN},
+	{EXILE_SYS(futimesat), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(newfstatat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(unlinkat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(renameat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(linkat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(symlinkat), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(readlinkat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(fchmodat), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(faccessat), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(pselect6), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(ppoll), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(splice), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(tee), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sync_file_range), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(vmsplice), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(move_pages), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(utimensat), EXILE_SYSCALL_PLEDGE_FATTR},
+	{EXILE_SYS(epoll_pwait), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(signalfd), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timerfd_create), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(eventfd), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fallocate), EXILE_SYSCALL_PLEDGE_WPATH|EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(timerfd_settime), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(timerfd_gettime), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(accept4), EXILE_SYSCALL_PLEDGE_UNIX|EXILE_SYSCALL_PLEDGE_INET},
+	{EXILE_SYS(signalfd4), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(eventfd2), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_create1), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(dup3), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(pipe2), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(inotify_init1), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(preadv), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(pwritev), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(recvmmsg), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(fanotify_init), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(fanotify_mark), EXILE_SYSCALL_PLEDGE_FSNOTIFY},
+	{EXILE_SYS(open_by_handle_at), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(sendmmsg), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(getcpu), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(sched_setattr), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(sched_getattr), EXILE_SYSCALL_PLEDGE_SCHED},
+	{EXILE_SYS(renameat2), EXILE_SYSCALL_PLEDGE_CPATH},
+	{EXILE_SYS(getrandom), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(execveat), EXILE_SYSCALL_PLEDGE_EXEC},
+	{EXILE_SYS(mlock2), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(copy_file_range), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(statx), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(clone3), EXILE_SYSCALL_PLEDGE_CLONE},
+	{EXILE_SYS(close_range), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(openat2), EXILE_SYSCALL_PLEDGE_RPATH|EXILE_SYSCALL_PLEDGE_WPATH},
+	{EXILE_SYS(faccessat2), EXILE_SYSCALL_PLEDGE_RPATH},
+	{EXILE_SYS(process_madvise), EXILE_SYSCALL_PLEDGE_STDIO},
+	{EXILE_SYS(epoll_pwait2), EXILE_SYSCALL_PLEDGE_STDIO}
+};
+
+
 static int is_valid_syscall_policy(unsigned int policy)
 {
 	return policy == EXILE_SYSCALL_ALLOW || policy == EXILE_SYSCALL_DENY_RET_ERROR || policy == EXILE_SYSCALL_DENY_KILL_PROCESS;
@@ -758,50 +630,155 @@ int exile_append_syscall_default_policy(struct exile_policy *exile_policy, unsig
 	return exile_append_syscall_policy(exile_policy, EXILE_SYSCALL_MATCH_ALL, default_policy, NULL, 0);
 }
 
-static void get_group_syscalls(uint64_t mask, long *syscalls, size_t *n)
+/* Returns, for the specific syscall, the correct sock_filter struct for the provided pledge_promises
+
+	Returns: 0 if none copied, otherwise the number of entries in "filter".
+ */
+
+static int get_pledge_argfilter(long syscall, uint64_t pledge_promises, struct sock_filter *filter)
 {
-	size_t count = 0;
-	for(unsigned long i = 0; i < sizeof(sc_group_map)/sizeof(sc_group_map[0]); i++)
+	struct sock_filter mmap_no_exec[] = {
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[2]))),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, PROT_EXEC, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0)};
+
+	struct sock_filter ioctl_default[] = {
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, FIONREAD, EXILE_SYSCALL_EXIT_BPF_RETURN, 0),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, FIONBIO, EXILE_SYSCALL_EXIT_BPF_RETURN, 0),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, FIOCLEX, EXILE_SYSCALL_EXIT_BPF_RETURN, 0),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, FIONCLEX, EXILE_SYSCALL_EXIT_BPF_RETURN, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
+		};
+
+	/* open() and friends with read-only flags */
+	struct sock_filter open_rdonly[] = {
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_CREAT, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_TMPFILE, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_RDWR, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0),
+		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_APPEND, EXILE_SYSCALL_EXIT_BPF_NO_MATCH, 0),
+	};
+
+	struct sock_filter socket_filter[4] = {
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[0]))),
+		EXILE_BPF_NOP,
+		EXILE_BPF_NOP,
+		EXILE_BPF_NOP
+	};
+
+	int result = 0;
+	int current_filter_index = 1;
+	switch(syscall)
 	{
-		struct syscall_group_map *current = &sc_group_map[i];
-		if(current->groupmask & mask)
-		{
-			syscalls[count] = current->syscall;
-			++count;
-		}
+		case EXILE_SYS(mmap):
+		case EXILE_SYS(mprotect):
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_PROT_EXEC)
+			{
+				/* If prot exec is allowed, there is no need to filter anything here */
+				result = 0;
+				break;
+			}
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_STDIO)
+			{
+				result = sizeof(mmap_no_exec)/sizeof(mmap_no_exec[0]);
+				memcpy(filter, mmap_no_exec, sizeof(mmap_no_exec));
+			}
+			break;
+		case EXILE_SYS(ioctl):
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_STDIO)
+			{
+				result = sizeof(ioctl_default)/sizeof(ioctl_default[0]);
+				memcpy(filter, ioctl_default, sizeof(ioctl_default));
+			}
+			break;
+		case EXILE_SYS(open):
+		case EXILE_SYS(openat):
+		case EXILE_SYS(open_by_handle_at):
+			/* TODO: This is still a mess with all those combinations.
+			 We should think of something better */
+			if(syscall == EXILE_SYS(openat) || syscall ==  EXILE_SYS(open_by_handle_at))
+			{
+				/* for openat, it's the third arg */
+				open_rdonly[0].k = offsetof(struct seccomp_data, args[2]);
+			}
+			/* The combination of those three implies no filtering of open args */
+			if((pledge_promises & (EXILE_SYSCALL_PLEDGE_CPATH|EXILE_SYSCALL_PLEDGE_RPATH|EXILE_SYSCALL_PLEDGE_WPATH)) == (EXILE_SYSCALL_PLEDGE_CPATH|EXILE_SYSCALL_PLEDGE_RPATH|EXILE_SYSCALL_PLEDGE_WPATH))
+			{
+				result = 0;
+				break;
+			}
+			/* If cpath is legal, don't filter O_CREAT */
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_CPATH)
+			{
+				open_rdonly[1] = (struct sock_filter) EXILE_BPF_NOP;
+			}
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_WPATH)
+			{
+				open_rdonly[2] = (struct sock_filter) EXILE_BPF_NOP;
+				open_rdonly[3] = (struct sock_filter) EXILE_BPF_NOP;
+				open_rdonly[4] = (struct sock_filter) EXILE_BPF_NOP;
+				open_rdonly[5] = (struct sock_filter) EXILE_BPF_NOP;
+			}
+			result = sizeof(open_rdonly)/sizeof(open_rdonly[0]);
+			memcpy(filter, open_rdonly, sizeof(open_rdonly));
+			break;
+		case EXILE_SYS(socket):
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_UNIX)
+			{
+				socket_filter[current_filter_index] = (struct sock_filter) BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AF_UNIX, EXILE_SYSCALL_EXIT_BPF_RETURN, 0);
+				++current_filter_index;
+			}
+			if(pledge_promises & EXILE_SYSCALL_PLEDGE_INET)
+			{
+				socket_filter[current_filter_index] = (struct sock_filter) BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AF_INET, EXILE_SYSCALL_EXIT_BPF_RETURN, 0);
+				++current_filter_index;
+				socket_filter[current_filter_index] = (struct sock_filter) BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AF_INET6, EXILE_SYSCALL_EXIT_BPF_RETURN, 0);
+				++current_filter_index;
+			}
+			socket_filter[current_filter_index-1].jf = EXILE_SYSCALL_EXIT_BPF_NO_MATCH;
+			result = current_filter_index;
+			memcpy(filter, socket_filter, result * sizeof(struct sock_filter));
 	}
-	*n = count;
+	return result;
 }
 
-int exile_append_group_syscall_policy(struct exile_policy *exile_policy, unsigned int syscall_policy, uint64_t groupmask)
+static int get_pledge_syscall_policy(long syscall,  uint64_t pledge_promises)
 {
-	long syscalls[400] = { 0 };
-	size_t n = 0;
+	int result = EXILE_SYSCALL_ALLOW;
+	switch(syscall)
+	{
+		case EXILE_SYS(openat2):
+			result = EXILE_SYSCALL_DENY_RET_ERROR;
+	}
+	return result;
+}
 
-	if(groupmask & EXILE_SYSCGROUP_NONE)
+int exile_append_pledge_promises(struct exile_policy *policy, uint64_t pledge_promises)
+{
+
+	for(unsigned int i = 0; i < sizeof(exile_pledge_map)/sizeof(exile_pledge_map[0]); i++)
 	{
-		EXILE_LOG_ERROR("Error: 'None' is an illegal group name\n");
-		return -EINVAL;
-	}
-	get_group_syscalls(groupmask, syscalls, &n);
-	if(n == 0)
-	{
-		EXILE_LOG_ERROR("Error: No syscalls found for group mask\n");
-		return -EINVAL;
-	}
-	for(size_t i = 0; i < n; i++)
-	{
-		int ret = exile_append_syscall_policy(exile_policy, syscalls[i], syscall_policy, NULL, 0);
-		if(ret != 0)
+		struct syscall_pledge_map *current_map = &exile_pledge_map[i];
+		if(current_map->pledgemask & pledge_promises)
 		{
-			EXILE_LOG_ERROR("Error: Failed while trying to append group policy\n");
-			return ret;
+			struct sock_filter filter[EXILE_ARGFILTERS_COUNT];
+			long syscall = current_map->syscall;
+			int syscall_policy = get_pledge_syscall_policy(syscall, pledge_promises);
+			int argfilters = get_pledge_argfilter(syscall, pledge_promises, filter);
+			int ret = exile_append_syscall_policy(policy, syscall, syscall_policy, filter, argfilters);
+			if(ret != 0)
+			{
+				EXILE_LOG_ERROR("Failed adding syscall policy from pledge while processing %li\n", syscall);
+				return ret;
+			}
+
 		}
 	}
-
-	return 0;
+	int pledge_policy = (pledge_promises & EXILE_SYSCALL_PLEDGE_DENY_ERROR) ? EXILE_SYSCALL_DENY_RET_ERROR : EXILE_SYSCALL_DENY_KILL_PROCESS;
+	return exile_append_syscall_default_policy(policy, pledge_policy);
 }
 
+
 /* Creates the default policy
  * Must be freed using exile_free_policy
  * @returns: default policy */
@@ -821,6 +798,8 @@ struct exile_policy *exile_init_policy()
 	result->path_policies = NULL;
 	result->path_policies_tail = &(result->path_policies);
 
+	result->pledge_promises = 0;
+
 	result->syscall_policies = NULL;
 	result->syscall_policies_tail = &(result->syscall_policies);
 
@@ -1219,14 +1198,23 @@ static void append_syscall_to_bpf(struct exile_syscall_policy *syscallpolicy, st
 			for(size_t i = 0; i < syscallpolicy->argfilterscount; i++)
 			{
 				filter[*start_index] = syscallpolicy->argfilters[i];
-				__u8 jump_count = next_syscall_pc;
+				__u8 jump_count_next_syscall = next_syscall_pc;
+				__u8 jump_count_return = jump_count_next_syscall - 1;
 				if(filter[*start_index].jt == EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
 				{
-					filter[*start_index].jt = jump_count;
+					filter[*start_index].jt = jump_count_next_syscall;
+				}
+				if(filter[*start_index].jt == EXILE_SYSCALL_EXIT_BPF_RETURN)
+				{
+					filter[*start_index].jt = jump_count_return;
 				}
 				if(filter[*start_index].jf == EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
 				{
-					filter[*start_index].jf = jump_count;
+					filter[*start_index].jf = jump_count_next_syscall;
+				}
+				if(filter[*start_index].jf == EXILE_SYSCALL_EXIT_BPF_RETURN)
+				{
+					filter[*start_index].jf = jump_count_return;
 				}
 				--next_syscall_pc;
 				++*start_index;
@@ -1235,7 +1223,7 @@ static void append_syscall_to_bpf(struct exile_syscall_policy *syscallpolicy, st
 	struct sock_filter syscall_action = BPF_STMT(BPF_RET+BPF_K, action);
 	/* TODO: we can do better than adding this below every jump */
 	filter[(*start_index)++] = syscall_action;
-	
+
 }
 /*
  * Enables the seccomp policy
@@ -1529,18 +1517,6 @@ static int enable_no_fs(struct exile_policy *policy)
 			return -1;
 		}
 
-		//TODO: we don't have to do this if there whitelisted policies, in that case we will be behind the default deny anyway
-		int ret = exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_FS);
-		if(ret != 0)
-		{
-			EXILE_LOG_ERROR("Failed to add system calls to policy\n");
-			return -1;
-		}
-		if(exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW) != 0)
-		{
-			EXILE_LOG_ERROR("Failed to add default policy when adding denied filesystem-related system calls\n");
-			return -1;
-		}
 		return 0;
 }
 
@@ -1692,6 +1668,16 @@ int exile_enable_policy(struct exile_policy *policy)
 	close(landlock_ruleset_fd);
 #endif
 
+	if(policy->pledge_promises != 0)
+	{
+		int ret = exile_append_pledge_promises(policy, policy->pledge_promises);
+		if(ret != 0)
+		{
+			EXILE_LOG_ERROR("exile_append_pledge_promises() failed: %i\n", ret);
+			return ret;
+		}
+	}
+
 	if(policy->syscall_policies != NULL)
 	{
 		return exile_enable_syscall_policy(policy);
@@ -1701,3 +1687,6 @@ int exile_enable_policy(struct exile_policy *policy)
 	return 0;
 }
 #endif
+
+
+
diff --git a/gengroup.py b/gengroup.py
deleted file mode 100755
index a2dbf65..0000000
--- a/gengroup.py
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/python
-import sys
-import re
-if len(sys.argv) < 2:
-	print("Usage: gengroup groupfile")
-	sys.exit(1)
-fd = open(sys.argv[1], "r")
-
-lines = fd.read().splitlines()
-
-groupnames = set()
-ifndef = dict()	
-
-def print_ifndefs():
-	for name in ifndef:
-		print("#ifndef __NR_%s" % name)
-		print("#define __NR_%s %s" % (name, ifndef[name]))
-		print("#endif")
-
-def print_defines(names):
-	names = sorted(names)
-	i = 0
-	for name in names:
-		define = "#define %s ((uint64_t)1<<%s)" % (name, i)
-		print(define)
-		i = i + 1
-
-for line in lines:
-	if line[0] == '#':
-		continue
-
-	splitted = line.split(' ')
-	if len(splitted) < 2:
-		print("Misformated line:", line)
-		sys.exit(1)
-
-	currentsyscall = splitted[0]
-	currentgroups = splitted[1].split(',')
-	
-	flags = splitted[2] if len(splitted) > 2 else ""
-	if any( not s or s.isspace() for s in currentgroups ):
-		print("Misformated line (empty values):", line)
-		sys.exit(1)
-	groupnames.update(currentgroups)
-	
-	genifndef = re.match(r"genifndef\((\d+)*\)", flags)
-	if genifndef:
-		ifndef[currentsyscall] = genifndef.groups(1)[0]
-	
-	array_line = "{EXILE_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
-	print(array_line)
-
-print_ifndefs()
-print_defines(groupnames)
-
diff --git a/grouping_x86-64.txt b/grouping_x86-64.txt
deleted file mode 100644
index 3eeec24..0000000
--- a/grouping_x86-64.txt
+++ /dev/null
@@ -1,363 +0,0 @@
-# Assign system calls to groups. In the future, may also include simple arg filtering.
-read EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-write EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-open EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-close EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-stat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-lstat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-poll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-lseek EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-mmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-mprotect EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-munmap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-brk EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigaction EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigprocmask EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigreturn EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-ioctl EXILE_SYSCGROUP_IOCTL,EXILE_SYSCGROUP_DEFAULT_ALLOW
-pread64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-pwrite64 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-readv EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-writev EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-access EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-pipe EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-select EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-sched_yield EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
-mremap EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-msync EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-mincore EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-madvise EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-shmget EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-shmat EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-shmctl EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-dup EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-dup2 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-pause EXILE_SYSCGROUP_PAUSE,EXILE_SYSCGROUP_DEFAULT_ALLOW
-nanosleep EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
-alarm EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setitimer EXILE_SYSCGROUP_TIMER,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getpid EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-sendfile EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-socket EXILE_SYSCGROUP_SOCKET
-connect EXILE_SYSCGROUP_SOCKET
-accept EXILE_SYSCGROUP_SOCKET
-sendto EXILE_SYSCGROUP_SOCKET
-recvfrom EXILE_SYSCGROUP_SOCKET
-sendmsg EXILE_SYSCGROUP_SOCKET
-recvmsg EXILE_SYSCGROUP_SOCKET
-shutdown EXILE_SYSCGROUP_SOCKET
-bind EXILE_SYSCGROUP_SOCKET
-listen EXILE_SYSCGROUP_SOCKET
-getsockname EXILE_SYSCGROUP_SOCKET
-getpeername EXILE_SYSCGROUP_SOCKET
-socketpair EXILE_SYSCGROUP_SOCKET,EXILE_SYSCGROUP_IPC
-setsockopt EXILE_SYSCGROUP_SOCKET
-getsockopt EXILE_SYSCGROUP_SOCKET
-clone EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
-fork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
-vfork EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW
-execve EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_EXEC
-exit EXILE_SYSCGROUP_PROCESS,EXILE_SYSCGROUP_DEFAULT_ALLOW
-wait4 EXILE_SYSCGROUP_EXEC
-kill EXILE_SYSCGROUP_KILL
-uname EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
-semget EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-semop EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-semctl EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-shmdt EXILE_SYSCGROUP_SHM,EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-msgget EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-msgsnd EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-msgrcv EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-msgctl EXILE_SYSCGROUP_IPC,EXILE_SYSCGROUP_DEFAULT_ALLOW
-fcntl EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-flock EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-fsync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-fdatasync EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-truncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-ftruncate EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-getdents EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-getcwd EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-chdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fchdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-rename EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-mkdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-rmdir EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-creat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-link EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-unlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-symlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-readlink EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-chmod EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fchmod EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-chown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-lchown EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-umask EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW
-gettimeofday EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getrlimit EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getrusage EXILE_SYSCGROUP_RES,EXILE_SYSCGROUP_DEFAULT_ALLOW
-sysinfo EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_DEFAULT_ALLOW
-times EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_DEFAULT_ALLOW
-ptrace EXILE_SYSCGROUP_PTRACE,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-syslog EXILE_SYSCGROUP_SYS
-getgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setuid EXILE_SYSCGROUP_ID
-setgid EXILE_SYSCGROUP_ID
-geteuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getegid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setpgid EXILE_SYSCGROUP_ID
-getppid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getpgrp EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setsid EXILE_SYSCGROUP_ID
-setreuid EXILE_SYSCGROUP_ID
-setregid EXILE_SYSCGROUP_ID
-getgroups EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setgroups EXILE_SYSCGROUP_ID
-setresuid EXILE_SYSCGROUP_ID
-getresuid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setresgid EXILE_SYSCGROUP_ID
-getresgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-getpgid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-setfsuid EXILE_SYSCGROUP_ID
-setfsgid EXILE_SYSCGROUP_ID
-getsid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-capget EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_DEFAULT_ALLOW
-capset EXILE_SYSCGROUP_ID
-rt_sigpending EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigtimedwait EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigqueueinfo EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-rt_sigsuspend EXILE_SYSCGROUP_RT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-sigaltstack EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
-utime EXILE_SYSCGROUP_TIME,EXILE_SYSCGROUP_FS
-mknod EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_FS
-uselib EXILE_SYSCGROUP_LIB,EXILE_SYSCGROUP_DEFAULT_ALLOW
-personality EXILE_SYSCGROUP_PROCESS
-ustat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
-statfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
-fstatfs EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_FS
-sysfs EXILE_SYSCGROUP_SYS,EXILE_SYSCGROUP_FS
-getpriority EXILE_SYSCGROUP_SCHED
-setpriority EXILE_SYSCGROUP_SCHED
-sched_setparam EXILE_SYSCGROUP_SCHED
-sched_getparam EXILE_SYSCGROUP_SCHED
-sched_setscheduler EXILE_SYSCGROUP_SCHED
-sched_getscheduler EXILE_SYSCGROUP_SCHED
-sched_get_priority_max EXILE_SYSCGROUP_SCHED
-sched_get_priority_min EXILE_SYSCGROUP_SCHED
-sched_rr_get_interval EXILE_SYSCGROUP_SCHED
-mlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-munlock EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-mlockall EXILE_SYSCGROUP_MEMORY
-munlockall EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-vhangup EXILE_SYSCGROUP_TTY
-modify_ldt EXILE_SYSCGROUP_PROCESS
-pivot_root EXILE_SYSCGROUP_CHROOT
-_sysctl EXILE_SYSCGROUP_SYS
-prctl EXILE_SYSCGROUP_PROCESS
-arch_prctl EXILE_SYSCGROUP_PROCESS
-adjtimex EXILE_SYSCGROUP_CLOCK
-setrlimit EXILE_SYSCGROUP_RES
-chroot EXILE_SYSCGROUP_CHROOT,EXILE_SYSCGROUP_FS
-sync EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-acct EXILE_SYSCGROUP_PROCESS
-settimeofday EXILE_SYSCGROUP_TIME
-mount EXILE_SYSCGROUP_MOUNT,EXILE_SYSCGROUP_FS
-umount2 EXILE_SYSCGROUP_UMOUNT,EXILE_SYSCGROUP_FS
-swapon EXILE_SYSCGROUP_SWAP
-swapoff EXILE_SYSCGROUP_SWAP
-reboot EXILE_SYSCGROUP_POWER
-sethostname EXILE_SYSCGROUP_HOST
-setdomainname EXILE_SYSCGROUP_HOST
-iopl EXILE_SYSCGROUP_IOPL
-ioperm EXILE_SYSCGROUP_IOPL
-create_module EXILE_SYSCGROUP_KMOD
-init_module EXILE_SYSCGROUP_KMOD
-delete_module EXILE_SYSCGROUP_KMOD
-get_kernel_syms EXILE_SYSCGROUP_KMOD
-query_module EXILE_SYSCGROUP_KMOD
-quotactl EXILE_SYSCGROUP_QUOTA
-nfsservctl EXILE_SYSCGROUP_NONE
-getpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
-putpmsg EXILE_SYSCGROUP_UNIMPLEMENTED
-afs_syscall EXILE_SYSCGROUP_UNIMPLEMENTED
-tuxcall EXILE_SYSCGROUP_UNIMPLEMENTED
-security EXILE_SYSCGROUP_UNIMPLEMENTED
-gettid EXILE_SYSCGROUP_ID,EXILE_SYSCGROUP_THREAD
-readahead EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
-setxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-lsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-fsetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-getxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-lgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fgetxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-listxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-llistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-flistxattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-removexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-lremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-fremovexattr EXILE_SYSCGROUP_XATTR,EXILE_SYSCGROUP_FS
-tkill EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_SIGNAL
-time EXILE_SYSCGROUP_TIME
-futex EXILE_SYSCGROUP_THREAD,EXILE_SYSCGROUP_FUTEX
-sched_setaffinity EXILE_SYSCGROUP_SCHED
-sched_getaffinity EXILE_SYSCGROUP_SCHED
-set_thread_area EXILE_SYSCGROUP_THREAD
-io_setup EXILE_SYSCGROUP_IO
-io_destroy EXILE_SYSCGROUP_IO
-io_getevents EXILE_SYSCGROUP_IO
-io_submit EXILE_SYSCGROUP_IO
-io_cancel EXILE_SYSCGROUP_IO
-get_thread_area EXILE_SYSCGROUP_THREAD
-lookup_dcookie EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
-epoll_create EXILE_SYSCGROUP_STDIO
-epoll_ctl_old EXILE_SYSCGROUP_STDIO
-epoll_wait_old EXILE_SYSCGROUP_STDIO
-remap_file_pages EXILE_SYSCGROUP_NONE
-getdents64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FS
-set_tid_address EXILE_SYSCGROUP_THREAD
-restart_syscall EXILE_SYSCGROUP_SYSCALL
-semtimedop EXILE_SYSCGROUP_SEM
-fadvise64 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
-timer_create EXILE_SYSCGROUP_TIMER
-timer_settime EXILE_SYSCGROUP_TIMER
-timer_gettime EXILE_SYSCGROUP_TIMER
-timer_getoverrun EXILE_SYSCGROUP_TIMER
-timer_delete EXILE_SYSCGROUP_TIMER
-clock_settime EXILE_SYSCGROUP_TIME
-clock_gettime EXILE_SYSCGROUP_TIME
-clock_getres EXILE_SYSCGROUP_TIME
-clock_nanosleep EXILE_SYSCGROUP_TIME
-exit_group EXILE_SYSCGROUP_EXIT,EXILE_SYSCGROUP_DEFAULT_ALLOW
-epoll_wait EXILE_SYSCGROUP_FD
-epoll_ctl EXILE_SYSCGROUP_FD
-tgkill EXILE_SYSCGROUP_SIGNAL,EXILE_SYSCGROUP_THREAD
-utimes EXILE_SYSCGROUP_PATH
-vserver EXILE_SYSCGROUP_UNIMPLEMENTED
-mbind EXILE_SYSCGROUP_MEMORY
-set_mempolicy EXILE_SYSCGROUP_MEMORY
-get_mempolicy EXILE_SYSCGROUP_MEMORY
-mq_open EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-mq_unlink EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-mq_timedsend EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-mq_timedreceive EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-mq_notify EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-mq_getsetattr EXILE_SYSCGROUP_MQ,EXILE_SYSCGROUP_IPC
-kexec_load EXILE_SYSCGROUP_KEXEC
-waitid EXILE_SYSCGROUP_SIGNAL
-add_key EXILE_SYSCGROUP_KEYS
-request_key EXILE_SYSCGROUP_KEYS
-keyctl EXILE_SYSCGROUP_KEYS
-ioprio_set EXILE_SYSCGROUP_PRIO
-ioprio_get EXILE_SYSCGROUP_PRIO
-inotify_init EXILE_SYSCGROUP_INOTIFY
-inotify_add_watch EXILE_SYSCGROUP_INOTIFY
-inotify_rm_watch EXILE_SYSCGROUP_INOTIFY
-migrate_pages EXILE_SYSCGROUP_PROCESS
-openat EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-mkdirat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-mknodat EXILE_SYSCGROUP_DEV,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fchownat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-futimesat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-newfstatat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-unlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-renameat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-linkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-symlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-readlinkat EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-fchmodat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-faccessat EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-pselect6 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-ppoll EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW,EXILE_SYSCGROUP_FS
-unshare EXILE_SYSCGROUP_NS,EXILE_SYSCGROUP_FS
-set_robust_list EXILE_SYSCGROUP_FUTEX
-get_robust_list EXILE_SYSCGROUP_FUTEX
-splice EXILE_SYSCGROUP_FD
-tee EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-sync_file_range EXILE_SYSCGROUP_FD
-vmsplice EXILE_SYSCGROUP_FD
-move_pages EXILE_SYSCGROUP_PROCESS
-utimensat EXILE_SYSCGROUP_PATH
-epoll_pwait EXILE_SYSCGROUP_STDIO
-signalfd EXILE_SYSCGROUP_SIGNAL
-timerfd_create EXILE_SYSCGROUP_TIMER
-eventfd EXILE_SYSCGROUP_FD
-fallocate EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_FD
-timerfd_settime EXILE_SYSCGROUP_TIMER
-timerfd_gettime EXILE_SYSCGROUP_TIMER
-accept4 EXILE_SYSCGROUP_SOCKET
-signalfd4 EXILE_SYSCGROUP_FD
-eventfd2 EXILE_SYSCGROUP_FD
-epoll_create1 EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW
-dup3 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-pipe2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-inotify_init1 EXILE_SYSCGROUP_INOTIFY
-preadv EXILE_SYSCGROUP_STDIO
-pwritev EXILE_SYSCGROUP_STDIO
-rt_tgsigqueueinfo EXILE_SYSCGROUP_RT
-perf_event_open EXILE_SYSCGROUP_PERF
-recvmmsg EXILE_SYSCGROUP_SOCKET
-fanotify_init EXILE_SYSCGROUP_FANOTIFY
-fanotify_mark EXILE_SYSCGROUP_FANOTIFY
-prlimit64 EXILE_SYSCGROUP_RES
-name_to_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
-open_by_handle_at EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_FS
-clock_adjtime EXILE_SYSCGROUP_CLOCK
-syncfs EXILE_SYSCGROUP_FD
-sendmmsg EXILE_SYSCGROUP_SOCKET
-setns EXILE_SYSCGROUP_NS
-getcpu EXILE_SYSCGROUP_SCHED
-#maybe IPC, but feels wrong
-process_vm_readv EXILE_SYSCGROUP_NONE
-process_vm_writev EXILE_SYSCGROUP_NONE
-kcmp EXILE_SYSCGROUP_NONE
-finit_module EXILE_SYSCGROUP_KMOD
-sched_setattr EXILE_SYSCGROUP_SCHED
-sched_getattr EXILE_SYSCGROUP_SCHED,EXILE_SYSCGROUP_DEFAULT_ALLOW
-renameat2 EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW
-seccomp EXILE_SYSCGROUP_NONE
-getrandom EXILE_SYSCGROUP_DEFAULT_ALLOW
-memfd_create EXILE_SYSCGROUP_MEMORY,EXILE_SYSCGROUP_DEFAULT_ALLOW
-kexec_file_load EXILE_SYSCGROUP_KEXEC
-bpf EXILE_SYSCGROUP_NONE
-execveat EXILE_SYSCGROUP_EXEC
-userfaultfd EXILE_SYSCGROUP_NONE
-membarrier EXILE_SYSCGROUP_NONE
-mlock2 EXILE_SYSCGROUP_MEMORY
-copy_file_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_DEFAULT_ALLOW
-preadv2 EXILE_SYSCGROUP_STDIO
-pwritev2 EXILE_SYSCGROUP_STDIO
-#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
-pkey_mprotect EXILE_SYSCGROUP_PKEY genifndef(329)
-pkey_alloc EXILE_SYSCGROUP_PKEY genifndef(330)
-pkey_free EXILE_SYSCGROUP_PKEY genifndef(331)
-statx EXILE_SYSCGROUP_STAT,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
-io_pgetevents EXILE_SYSCGROUP_NONE genifndef(333)
-rseq EXILE_SYSCGROUP_THREAD genifndef(334)
-pidfd_send_signal EXILE_SYSCGROUP_PIDFD genifndef(424)
-io_uring_setup EXILE_SYSCGROUP_IOURING genifndef(425)
-io_uring_enter EXILE_SYSCGROUP_IOURING genifndef(426)
-io_uring_register EXILE_SYSCGROUP_IOURING genifndef(427)
-open_tree EXILE_SYSCGROUP_NEWMOUNT genifndef(428)
-move_mount EXILE_SYSCGROUP_NEWMOUNT genifndef(429)
-fsopen EXILE_SYSCGROUP_NEWMOUNT genifndef(430)
-fsconfig EXILE_SYSCGROUP_NEWMOUNT genifndef(431)
-fsmount EXILE_SYSCGROUP_NEWMOUNT genifndef(432)
-fspick EXILE_SYSCGROUP_NEWMOUNT genifndef(433)
-pidfd_open EXILE_SYSCGROUP_PIDFD genifndef(434)
-clone3 EXILE_SYSCGROUP_CLONE,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
-close_range EXILE_SYSCGROUP_STDIO,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
-openat2 EXILE_SYSCGROUP_FD,EXILE_SYSCGROUP_PATH,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
-pidfd_getfd EXILE_SYSCGROUP_PIDFD genifndef(438)
-faccessat2 EXILE_SYSCGROUP_PERMS,EXILE_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
-process_madvise EXILE_SYSCGROUP_MEMORY genifndef(440)
-epoll_pwait2 EXILE_SYSCGROUP_STDIO genifndef(441)
-mount_setattr EXILE_SYSCGROUP_NONE genifndef(442)
-quotactl_fd EXILE_SYSCGROUP_QUOTA genifndef(443)
-landlock_create_ruleset EXILE_SYSCGROUP_LANDLOCK genifndef(444)
-landlock_add_rule EXILE_SYSCGROUP_LANDLOCK genifndef(445)
-landlock_restrict_self EXILE_SYSCGROUP_LANDLOCK genifndef(446)
-memfd_secret EXILE_SYSCGROUP_NONE genifndef(447)
-process_mrelease EXILE_SYSCGROUP_NONE genifndef(448)
diff --git a/test.c b/test.c
index e00cd27..f6943a5 100644
--- a/test.c
+++ b/test.c
@@ -181,38 +181,16 @@ int test_seccomp_errno()
 	return test_successful_exit(&do_test_seccomp_errno);
 }
 
-static int test_seccomp_group()
-{
-	struct exile_policy *policy = exile_init_policy();
-
-	if(exile_append_group_syscall_policy(policy, EXILE_SYSCALL_DENY_RET_ERROR, EXILE_SYSCGROUP_SOCKET) != 0)
-	{
-		printf("nothing added\n");
-		return 1;
-	}
-	exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
-
-	xexile_enable_policy(policy);
-
-	int s = socket(AF_INET,SOCK_STREAM,0);
-	if(s != -1)
-	{
-		printf("Failed: socket was expected to return error, but returned %i\n", s);
-		return 1;
-	}
-	return 0;
-}
-
 int test_seccomp_argfilter_allowed()
 {
 	struct exile_policy *policy = exile_init_policy();
 
-	struct sock_filter argfilter[2] = 
+	struct sock_filter argfilter[2] =
 	{
 		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
 		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
 	};
-	
+
 	exile_append_syscall_policy(policy, EXILE_SYS(open),EXILE_SYSCALL_DENY_RET_ERROR,  argfilter, 2);
 	exile_append_syscall_default_policy(policy, EXILE_SYSCALL_ALLOW);
 	xexile_enable_policy(policy);
@@ -233,7 +211,7 @@ int test_seccomp_argfilter_filtered()
 {
 	struct exile_policy *policy = exile_init_policy();
 
-	struct sock_filter argfilter[2] = 
+	struct sock_filter argfilter[2] =
 	{
 		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
 		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
@@ -259,7 +237,7 @@ int test_seccomp_argfilter_mixed()
 {
 	struct exile_policy *policy = exile_init_policy();
 
-	struct sock_filter argfilter[2] = 
+	struct sock_filter argfilter[2] =
 	{
 		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, args[1]))),
 		BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, O_WRONLY, 0, EXILE_SYSCALL_EXIT_BPF_NO_MATCH)
@@ -303,6 +281,72 @@ int test_seccomp_argfilter_mixed()
 	return 0;
 }
 
+
+int do_test_seccomp_pledge_socket()
+{
+	struct exile_policy *policy = exile_init_policy();
+	policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_INET | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
+	xexile_enable_policy(policy);
+
+	int s = socket(AF_INET, SOCK_STREAM, 0);
+	if(s == -1)
+	{
+		printf("Failed: socket was expected to succeed, but returned %i\n", s);
+		return 1;
+	}
+	s = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if(s != -1)
+	{
+		printf("Failed: socket was expected to fail, but returned %i\n", s);
+		return 1;
+	}
+	return 0;
+}
+
+int do_test_seccomp_pledge_open()
+{
+	struct exile_policy *policy = exile_init_policy();
+	policy->pledge_promises = EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_RPATH | EXILE_SYSCALL_PLEDGE_DENY_ERROR;
+	xexile_enable_policy(policy);
+
+	int ret = open("/dev/urandom", O_WRONLY  | O_APPEND);
+	if(ret != -1)
+	{
+		printf("Failed: open was expected to fail, but returned %i\n", ret);
+		return 1;
+	}
+	ret = open("/dev/urandom", O_RDWR);
+	if(ret != -1)
+	{
+		printf("Failed: open O_RDWR was expected to fail, but returned %i\n", ret);
+		return 1;
+	}
+	ret = open("/dev/urandom", O_RDONLY);
+	if(ret == -1)
+	{
+		printf("Failed: open was expected to succceed, but returned %i\n", ret);
+		return 1;
+	}
+	return 0;
+}
+
+int test_seccomp_pledge()
+{
+	int ret = test_successful_exit(&do_test_seccomp_pledge_open);
+	if(ret != 0)
+	{
+		printf("Failed: do_test_seccomp_pledge_open()\n");
+		return 1;
+	}
+	ret = test_successful_exit(&do_test_seccomp_pledge_socket);
+	if(ret != 0)
+	{
+		printf("Failed: do_test_seccomp_pledge_socket()\n");
+		return 1;
+	}
+	return 0;
+}
+
 #if HAVE_LANDLOCK == 1
 int test_landlock()
 {
@@ -403,10 +447,10 @@ struct dispatcher dispatchers[] = {
 	{ "seccomp-x32-kill", &test_seccomp_x32_kill},
 	{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
 	{ "seccomp-errno", &test_seccomp_errno},
-	{ "seccomp-group", &test_seccomp_group},
 	{ "seccomp-argfilter-allowed", &test_seccomp_argfilter_allowed},
 	{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
 	{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
+	{ "seccomp-pledge", &test_seccomp_pledge},
 	{ "landlock", &test_landlock},
 	{ "landlock-deny-write", &test_landlock_deny_write },
 	{ "no_fs", &test_nofs},