The seccomp policies are effectively an allow-list of syscalls and their arguments that a program is allowed to issue. The general idea to creating a starter policy is to run the program with strace and log the system calls that the kernel saw. This is a tough job, since there is no guarantee that you can exercise all code paths and error cases, where additional system calls may present themselves.
See Sandboxing Chrome OS system services for more information.
See comments in run_bio_crypto_init_strace.sh and run_biod_strace.sh.
Starting in kernel 4.14, CROS_EC_DEV_IOC* symbolic names refer to the EC V2 protocol. These commands appear as CROS_EC_DEV_IOC*_V2 in the EC codebase. See the following: