virtual resource foo {
	fn read(domain source) {
		allow(source, this, file, read);
	}
}