1# Copyright 2019 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5@include /usr/share/policy/crosvm/common_device.policy 6 7copy_file_range: 1 8fallocate: 1 9fchdir: 1 10fchmod: 1 11fchmodat: 1 12fchown: 1 13fchownat: 1 14fdatasync: 1 15fgetxattr: 1 16getxattr: 1 17fsetxattr: 1 18setxattr: 1 19flistxattr: 1 20listxattr: 1 21fremovexattr: 1 22removexattr: 1 23fsync: 1 24newfstatat: 1 25fstatfs: 1 26ftruncate: 1 27getdents64: 1 28getegid: 1 29geteuid: 1 30getrandom: 1 31# Use constants for verity ioctls since minijail doesn't understand them yet. 32# 0x40806685 = FS_IOC_ENABLE_VERITY 33# 0xc0046686 = FS_IOC_MEASURE_VERITY 34ioctl: arg1 == FS_IOC_FSGETXATTR || \ 35 arg1 == FS_IOC_FSSETXATTR || \ 36 arg1 == FS_IOC_GETFLAGS || \ 37 arg1 == FS_IOC_SETFLAGS || \ 38 arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \ 39 arg1 == 0x40806685 || \ 40 arg1 == 0xc0046686 41linkat: 1 42lseek: 1 43mkdirat: 1 44mknodat: 1 45openat: 1 46preadv: 1 47pwritev: 1 48renameat2: 1 49setresgid: 1 50setresuid: 1 51symlinkat: 1 52umask: 1 53unlinkat: 1 54utimensat: 1 55prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS 56capget: 1 57capset: 1 58unshare: 1 59