arc/setup/init/minijail/arcvm-prepare-virtio-blk-data.conf - third_party/platform2 - Git at Google

 % minijail-config-file v0

 # Copyright 2024 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # cap_sys_admin and /dev mount are needed for loop mounting virtio-blk /data.

 c = cap_dac_override,cap_dac_read_search,cap_chown,cap_fowner,cap_sys_admin+eip
 profile = minimalistic-mountns-nodev
 no-fs-restrictions
 uts
 e
 l
 p
 N
 K
 ns-mount
 bind-mount = /home
 mount = devtmpfs,/dev,devtmpfs,MS_NOSUID|MS_NOEXEC
 mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = /run/arcvm,/run/arcvm,none,MS_BIND|MS_REC
 mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = /var/lib/metrics,/var/lib/metrics,none,MS_BIND|MS_REC
 bind-mount = /var/lib,,1
	% minijail-config-file v0

	# Copyright 2024 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# cap_sys_admin and /dev mount are needed for loop mounting virtio-blk /data.

	c = cap_dac_override,cap_dac_read_search,cap_chown,cap_fowner,cap_sys_admin+eip
	profile = minimalistic-mountns-nodev
	no-fs-restrictions
	uts
	e
	l
	p
	N
	K
	ns-mount
	bind-mount = /home
	mount = devtmpfs,/dev,devtmpfs,MS_NOSUID\|MS_NOEXEC
	mount = tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = /run/arcvm,/run/arcvm,none,MS_BIND\|MS_REC
	mount = tmpfs,/var,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = /var/lib/metrics,/var/lib/metrics,none,MS_BIND\|MS_REC
	bind-mount = /var/lib,,1