diff --git a/seccomp/aarch64/tpm_device.policy b/seccomp/aarch64/tpm_device.policy
index 93d0013c70..75bd04ba67 100644
--- a/seccomp/aarch64/tpm_device.policy
+++ b/seccomp/aarch64/tpm_device.policy
@@ -2,58 +2,18 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# common policy
-brk: 1
-clock_gettime: 1
-clone: arg0 & CLONE_THREAD
-close: 1
-dup3: 1
-dup: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_pwait: 1
-eventfd2: 1
-exit: 1
-exit_group: 1
-futex: 1
-getcwd: 1
-getpid: 1
-getrandom: 1
-gettimeofday: 1
-kill: 1
-madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
-mmap: arg2 in ~PROT_EXEC
-mprotect: arg2 in ~PROT_EXEC
-mremap: 1
-munmap: 1
-nanosleep: 1
-clock_nanosleep: 1
-newfstatat: 1
-pipe2: 1
-ppoll: 1
-prctl: arg0 == PR_SET_NAME
-read: 1
-readlinkat: 1
-recvfrom: 1
-recvmsg: 1
-restart_syscall: 1
-rt_sigaction: 1
-rt_sigprocmask: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sendmsg: 1
-set_robust_list: 1
-sigaltstack: 1
-write: 1
+@include /usr/share/policy/crosvm/common_device.policy
 
-# tpm-specific policy
 chdir: 1
 fstat: 1
 fsync: 1
 ftruncate: 1
+getrandom: 1
 getuid: 1
 lseek: 1
 mkdirat: 1
+newfstatat: 1
 openat: 1
+prctl: arg0 == PR_SET_NAME
 socket: return EACCES
 statx: 1
diff --git a/seccomp/arm/tpm_device.policy b/seccomp/arm/tpm_device.policy
index 8d91f6b245..641b364b48 100644
--- a/seccomp/arm/tpm_device.policy
+++ b/seccomp/arm/tpm_device.policy
@@ -2,67 +2,19 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# common policy
-brk: 1
-clock_gettime: 1
-clock_gettime64: 1
-clone: arg0 & CLONE_THREAD
-close: 1
-dup2: 1
-dup: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
-eventfd2: 1
-exit: 1
-exit_group: 1
-futex: 1
-futex_time64: 1
-getcwd: 1
-getpid: 1
-getrandom: 1
-gettimeofday: 1
-kill: 1
-madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
-mmap2: arg2 in ~PROT_EXEC
-mprotect: arg2 in ~PROT_EXEC
-mremap: 1
-munmap: 1
-nanosleep: 1
-clock_nanosleep: 1
-clock_nanosleep_time64: 1
-pipe2: 1
-poll: 1
-ppoll: 1
-ppoll_time64: 1
-prctl: arg0 == PR_SET_NAME
-read: 1
-readlink: 1
-readlinkat: 1
-recv: 1
-recvfrom: 1
-recvmsg: 1
-recvmmsg_time64: 1
-restart_syscall: 1
-rt_sigaction: 1
-rt_sigprocmask: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sendmsg: 1
-set_robust_list: 1
-sigaltstack: 1
-write: 1
+@include /usr/share/policy/crosvm/common_device.policy
 
-# tpm-specific policy
 chdir: 1
 fstat: 1
 fsync: 1
 ftruncate: 1
+getrandom: 1
 getuid: 1
 lseek: 1
 mkdir: 1
 open: 1
 openat: 1
+prctl: arg0 == PR_SET_NAME
 socket: return EACCES
 stat: 1
 statx: 1
diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy
index 2eae6e957f..d60631a6ba 100644
--- a/seccomp/x86_64/tpm_device.policy
+++ b/seccomp/x86_64/tpm_device.policy
@@ -2,62 +2,20 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# common policy
-brk: 1
-clock_gettime: 1
-clone: arg0 & CLONE_THREAD
-close: 1
-dup2: 1
-dup: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
-eventfd2: 1
-exit: 1
-exit_group: 1
-futex: 1
-getcwd: 1
-getpid: 1
-getrandom: 1
-gettimeofday: 1
-kill: 1
-madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
-mmap: arg2 in ~PROT_EXEC
-mprotect: arg2 in ~PROT_EXEC
-mremap: 1
-munmap: 1
-nanosleep: 1
-newfstatat: 1
-clock_nanosleep: 1
-pipe2: 1
-poll: 1
-ppoll: 1
-prctl: arg0 == PR_SET_NAME
-read: 1
-readlink: 1
-readlinkat: 1
-recvfrom: 1
-recvmsg: 1
-restart_syscall: 1
-rt_sigaction: 1
-rt_sigprocmask: 1
-rt_sigreturn: 1
-sched_getaffinity: 1
-sendmsg: 1
-set_robust_list: 1
-sigaltstack: 1
-write: 1
+@include /usr/share/policy/crosvm/common_device.policy
 
-# tpm-specific policy
 chdir: 1
 fstat: 1
 fsync: 1
 ftruncate: 1
+getrandom: 1
 getuid: 1
 lseek: 1
 mkdir: 1
+newfstatat: 1
 open: 1
 openat: 1
+prctl: arg0 == PR_SET_NAME
 socket: return EACCES
 stat: 1
 statx: 1