| # Copyright 2014 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the avahi daemon as a system service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| env AVAHI_DAEMON_CONF=/etc/avahi/avahi-daemon.conf |
| import NETNS |
| |
| respawn |
| expect fork |
| |
| pre-start script |
| mkdir -p /run/avahi-daemon |
| end script |
| |
| script |
| # -r: remount namespace to /proc inside the mini-jail |
| # (read only and implies -v). |
| # -v: forces process to enter into unique namespace with their own isolated |
| # instance of the global resource. |
| # -i: Exit immediately after fork(2). The jailed process will run in the |
| # background. |
| # -b /var/lib/dbus: We need read access to the dbus id. |
| # -b /run/dbus: We need access to dbus. |
| # -b /dev/log: We need access to syslog. |
| # -T static: static mode to lockdown pre-exec. |
| set -- /sbin/minijail0 -rvi --uts \ |
| -T static \ |
| --profile=minimalistic-mountns \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /var/lib/dbus \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/avahi-daemon,,1 \ |
| -b /run/dbus,,1 \ |
| -b /dev/log \ |
| /usr/sbin/avahi-daemon --syslog --file=${AVAHI_DAEMON_CONF} |
| # TODO(crbug.com/917790): Use minijail0 -e. Currently it fails to enter |
| # existing network namespaces by EBADF. |
| case "${NETNS}" in |
| "") ;; |
| *) set -- /bin/ip netns exec "${NETNS}" "$@";; |
| esac |
| exec "$@" |
| end script |
