1# Copyright 2019 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5@include /usr/share/policy/crosvm/common_device.policy 6 7copy_file_range: 1 8fallocate: 1 9fchdir: 1 10fchmod: 1 11fchmodat: 1 12fchown32: 1 13fchownat: 1 14fdatasync: 1 15fgetxattr: 1 16getxattr: 1 17fsetxattr: 1 18setxattr: 1 19flistxattr: 1 20listxattr: 1 21fremovexattr: 1 22removexattr: 1 23fstatat64: 1 24fstatfs: 1 25fstatfs64: 1 26fsync: 1 27getdents64: 1 28getegid32: 1 29geteuid32: 1 30getrandom: 1 31getresuid32: 1 32# Use constants for verity ioctls since minijail doesn't understand them yet. 33# 0x40806685 = FS_IOC_ENABLE_VERITY 34# 0xc0046686 = FS_IOC_MEASURE_VERITY 35ioctl: arg1 == FS_IOC_FSGETXATTR || \ 36 arg1 == FS_IOC_FSSETXATTR || \ 37 arg1 == FS_IOC_GETFLAGS || \ 38 arg1 == FS_IOC_SETFLAGS || \ 39 arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \ 40 arg1 == 0x40806685 || \ 41 arg1 == 0xc0046686 42linkat: 1 43mkdir: 1 44mkdirat: 1 45mknodat: 1 46open: return ENOENT 47openat: 1 48preadv: 1 49pwritev: 1 50renameat2: 1 51setresgid32: 1 52setresuid32: 1 53statx: 1 54symlinkat: 1 55umask: 1 56unlinkat: 1 57utimensat: 1 58utimensat_time64: 1 59prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS 60capget: 1 61capset: 1 62unshare: 1 63