| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Universal addresses to RPC program number mapper" |
| author "chromium-os-dev@chromium.org" |
| |
| # The server will be invoked when a container is launched. |
| # It should not run automatically. |
| stop on stopping ui |
| |
| respawn |
| |
| pre-start script |
| mkdir -m 0710 -p "/run/rpcbind" |
| chown -R ganesha:ganesha "/run/rpcbind" |
| |
| iptables -A INPUT -p tcp -s 100.115.92.0/24 --dport 111 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| end script |
| |
| # Allow CAP_NET_BIND_SERVICE(10) |
| exec minijail0 -nplrvt -L \ |
| -S /usr/share/policy/rpcbind-seccomp.policy \ |
| --uts \ |
| -c 0x400 \ |
| -u ganesha -g ganesha \ |
| -P /mnt/empty \ |
| -b /,/ \ |
| -b /proc,/proc \ |
| -b /run/rpcbind,/run,1 \ |
| -- /sbin/rpcbind -f |
| |
| post-stop script |
| iptables -D INPUT -p tcp -s 100.115.92.0/24 --dport 111 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| end script |