crosvm/seccomp/x86_64/tpm_device.policy

# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# common policy
brk: 1
clone: arg0 & CLONE_THREAD
close: 1
dup2: 1
dup: 1
epoll_create1: 1
epoll_ctl: 1
epoll_wait: 1
eventfd2: 1
exit: 1
exit_group: 1
futex: 1
getpid: 1
getrandom: 1
gettimeofday: 1
kill: 1
madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
mmap: arg2 in ~PROT_EXEC
mprotect: arg2 in ~PROT_EXEC
mremap: 1
munmap: 1
nanosleep: 1
pipe2: 1
poll: 1
ppoll: 1
prctl: arg0 == PR_SET_NAME
read: 1
recvfrom: 1
recvmsg: 1
restart_syscall: 1
rt_sigaction: 1
rt_sigprocmask: 1
rt_sigreturn: 1
sched_getaffinity: 1
sendmsg: 1
set_robust_list: 1
sigaltstack: 1
write: 1

# tpm-specific policy
chdir: 1
fstat: 1
fsync: 1
ftruncate: 1
getuid: 1
lseek: 1
mkdir: 1
open: 1
openat: 1
socket: return EACCES
stat: 1
statx: 1