secagentd/minijail/secagentd.conf - third_party/platform2 - Git at Google

 % minijail-config-file v0

 # -u: Run as user secagentd.
 u = secagentd

 # -g: Run as group secagentd.
 g = secagentd

 # -n: Prevents that execve gains privileges.
 n

 # -c: Capabilties listed are needed for bpf functionality.
 #      cap_dac_read_search: Overrides DAC restrictions for reading files.
 #      cap_sys_resource: Needed for overriding memory limits.
 #      cap_perfmon: Needed for additional bpf operations (tracing).
 #      cap_bpf: Allows use of bpf operations.
 #      cap_sys_ptrace: Allows for using ptrace on processes.
 c = cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e

 # --no-default-runtime-environment: Don't use the default security policy.
 no-default-runtime-environment
	% minijail-config-file v0

	# -u: Run as user secagentd.
	u = secagentd

	# -g: Run as group secagentd.
	g = secagentd

	# -n: Prevents that execve gains privileges.
	n

	# -c: Capabilties listed are needed for bpf functionality.
	# cap_dac_read_search: Overrides DAC restrictions for reading files.
	# cap_sys_resource: Needed for overriding memory limits.
	# cap_perfmon: Needed for additional bpf operations (tracing).
	# cap_bpf: Allows use of bpf operations.
	# cap_sys_ptrace: Allows for using ptrace on processes.
	c = cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e

	# --no-default-runtime-environment: Don't use the default security policy.
	no-default-runtime-environment