blob: 3b01914b6d1ba0c71ed7b9300f1fc4be241097a0 [file] [log] [blame] [edit]
% minijail-config-file v0
# -u: Run as user secagentd.
u = secagentd
# -g: Run as group secagentd.
g = secagentd
# -n: Prevents that execve gains privileges.
n
# -c: Capabilties listed are needed for bpf functionality.
# cap_dac_read_search: Overrides DAC restrictions for reading files.
# cap_sys_resource: Needed for overriding memory limits.
# cap_perfmon: Needed for additional bpf operations (tracing).
# cap_bpf: Allows use of bpf operations.
# cap_sys_ptrace: Allows for using ptrace on processes.
c = cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e
# --no-default-runtime-environment: Don't use the default security policy.
no-default-runtime-environment