<aegis>
  <provide>
    <credential name="AegisFSMountAdd">
      <docstring>Configuration files added to /etc/aegisfs.d must be signed by this</docstring>
    </credential>
    <credential name="aegisfs-verify">
      <docstring>This resource token is used for verifying that a directory actually is mounted
      by AegisFS</docstring>
    </credential>
  </provide>
  <account>
    <user name="aegisfs" group="crypto" />
  </account>
  <request policy="add">
    <credential name="aegisfs-verify" />
    <credential name="UID::aegisfs" />
    <credential name="GID::crypto" />
    <!-- For mounting -->
    <credential name="CAP::sys_admin" />
    <!-- For reading /proc/<pid>/exe -->
    <credential name="CAP::sys_ptrace" />
    <!-- For accessing files owned by user -->
    <credential name="CAP::dac_override" />
    <!-- For misc -->
    <credential name="CAP::ipc_lock" />
    <credential name="CAP::setuid" />
    <credential name="CAP::fowner" />
    <for path="/usr/bin/aegisfs" id="daemon" />
  </request>
  <request context="INSTALL">
    <credential name="AegisFSMountAdd" />
  </request>
</aegis>
