a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# 'whitelist' would normally mean kill a task doing any syscall which is not
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# whitelisted below. By appending 'trap' to the line, we will cause a SIGSYS
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# to be sent to the task instead. 'errno 0' would mean don't allow the system
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# call but immediately return 0. 'errno 22' would mean return EINVAL immediately.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# Since we are listing system calls by name, we can also ask to have them resolved
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# for another arch, i.e. for 32/64-bit versions.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# Do note that this policy does not whitelist enough system calls to allow a
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn# system container to boot.