| % minijail-config-file v0 |
| |
| profile=minimalistic-mountns |
| |
| # Enable VFS/mount namespace. |
| ns-mount |
| |
| # For logging. |
| bind-mount=/dev/log |
| |
| # Mount tmpfs on /run to allow for subsequent bind mounts. |
| mount=tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M |
| # For communication over dbus. |
| bind-mount=/run/dbus |
| # For receiving udev events. |
| bind-mount=/run/udev |
| |
| # Mount tmpfs on /sys to allow for subsequent bind mounts. |
| mount=tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M |
| # /sys/devices : needed because devices under /sys/bus/pci/devices |
| # are symlinks to here. |
| bind-mount=/sys/devices,,1 |
| # /sys/bus/pci : to manage the allowlist and the devices. |
| bind-mount=/sys/bus/pci,,1 |
| # /sys/bus/thunderbolt: to auth / deauth thunderbolt devices. |
| bind-mount=/sys/bus/thunderbolt/devices,,1 |