/usr/share/seccomp/policygroups/ubuntu-core/16.04/system-monitor is in ubuntu-core-security-seccomp 16.04.15.1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9
# Description: Can query system status information. This is restricted because # it gives privileged read access to all processes on the system and should # only be used with trusted apps. # Usage: reserved # ptrace can be used to break out of the seccomp sandbox, but ps requests # 'ptrace (trace)' from apparmor. 'ps' does not need the ptrace syscall though, # so we deny the ptrace here to make sure we are always safe. deny ptrace