1# Copyright 2019 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5@include /usr/share/policy/crosvm/common_device.policy 6 7copy_file_range: 1 8fallocate: 1 9fchdir: 1 10fchmod: 1 11fchmodat: 1 12fchown: 1 13fchownat: 1 14fdatasync: 1 15fgetxattr: 1 16getxattr: 1 17fsetxattr: 1 18setxattr: 1 19flistxattr: 1 20listxattr: 1 21fremovexattr: 1 22removexattr: 1 23fstatfs: 1 24fsync: 1 25getdents64: 1 26getegid: 1 27geteuid: 1 28getrandom: 1 29getresuid: 1 30# Use constants for verity ioctls since minijail doesn't understand them yet. 31# 0x40806685 = FS_IOC_ENABLE_VERITY 32# 0xc0046686 = FS_IOC_MEASURE_VERITY 33ioctl: arg1 == FS_IOC_FSGETXATTR || \ 34 arg1 == FS_IOC_FSSETXATTR || \ 35 arg1 == FS_IOC_GETFLAGS || \ 36 arg1 == FS_IOC_SETFLAGS || \ 37 arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \ 38 arg1 == 0x40806685 || \ 39 arg1 == 0xc0046686 40linkat: 1 41mkdir: 1 42mkdirat: 1 43mknodat: 1 44newfstatat: 1 45open: return ENOENT 46openat: 1 47preadv: 1 48pwritev: 1 49renameat2: 1 50setresgid: 1 51setresuid: 1 52symlinkat: 1 53statx: 1 54umask: 1 55unlinkat: 1 56utimensat: 1 57prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS 58capget: 1 59capset: 1 60unshare: 1 61