1# Copyright 2019 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5@include /usr/share/policy/crosvm/common_device.policy 6 7copy_file_range: 1 8fallocate: 1 9fchdir: 1 10fchmod: 1 11fchmodat: 1 12fchown: 1 13fchownat: 1 14fdatasync: 1 15fgetxattr: 1 16getxattr: 1 17fsetxattr: 1 18setxattr: 1 19flistxattr: 1 20listxattr: 1 21fremovexattr: 1 22removexattr: 1 23fstatfs: 1 24fsync: 1 25ftruncate: 1 26getdents64: 1 27getegid: 1 28geteuid: 1 29getrandom: 1 30# Use constants for verity ioctls since minijail doesn't understand them yet. 31# 0x40806685 = FS_IOC_ENABLE_VERITY 32# 0xc0046686 = FS_IOC_MEASURE_VERITY 33ioctl: arg1 == FS_IOC_FSGETXATTR || \ 34 arg1 == FS_IOC_FSSETXATTR || \ 35 arg1 == FS_IOC_GETFLAGS || \ 36 arg1 == FS_IOC_SETFLAGS || \ 37 arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \ 38 arg1 == 0x40806685 || \ 39 arg1 == 0xc0046686 40linkat: 1 41lseek: 1 42mkdir: 1 43mkdirat: 1 44mknodat: 1 45newfstatat: 1 46open: return ENOENT 47openat: 1 48preadv: 1 49pwritev: 1 50renameat2: 1 51setresgid: 1 52setresuid: 1 53symlinkat: 1 54statx: 1 55umask: 1 56unlinkat: 1 57utimensat: 1 58prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS 59capget: 1 60capset: 1 61unshare: 1