pciguard/minijail/pciguard.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 % minijail-config-file v0

 profile=minimalistic-mountns

 # Enable VFS/mount namespace.
 ns-mount

 # For logging.
 bind-mount=/dev/log

 # Mount tmpfs on /run to allow for subsequent bind mounts.
 mount=tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M
 # For communication over dbus.
 bind-mount=/run/dbus
 # For receiving udev events.
 bind-mount=/run/udev

 # Mount tmpfs on /sys to allow for subsequent bind mounts.
 mount=tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M
 # /sys/devices  : needed because devices under /sys/bus/pci/devices
 #                 are symlinks to here.
 bind-mount=/sys/devices,,1
 # /sys/bus/pci  : to manage the allowlist and the devices.
 bind-mount=/sys/bus/pci,,1
 # /sys/bus/thunderbolt: to auth / deauth thunderbolt devices.
 bind-mount=/sys/bus/thunderbolt/devices,,1
	% minijail-config-file v0

	profile=minimalistic-mountns

	# Enable VFS/mount namespace.
	ns-mount

	# For logging.
	bind-mount=/dev/log

	# Mount tmpfs on /run to allow for subsequent bind mounts.
	mount=tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M
	# For communication over dbus.
	bind-mount=/run/dbus
	# For receiving udev events.
	bind-mount=/run/udev

	# Mount tmpfs on /sys to allow for subsequent bind mounts.
	mount=tmpfs,/sys,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M
	# /sys/devices : needed because devices under /sys/bus/pci/devices
	# are symlinks to here.
	bind-mount=/sys/devices,,1
	# /sys/bus/pci : to manage the allowlist and the devices.
	bind-mount=/sys/bus/pci,,1
	# /sys/bus/thunderbolt: to auth / deauth thunderbolt devices.
	bind-mount=/sys/bus/thunderbolt/devices,,1