| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "NFS server service" |
| author "chromium-os-dev@chromium.org" |
| |
| # The server will be invoked when a container is launched. |
| # It should not run automatically. |
| stop on stopping ui |
| |
| # Start and stop the server if rpcbind is started / stopped. |
| start on started rpcbind |
| stop on stopping rpcbind |
| |
| respawn |
| |
| pre-start script |
| NFSGANESHA_DIR="/run/ganesha/" |
| mkdir -m 0710 -p "${NFSGANESHA_DIR}" |
| chown -R ganesha:ganesha "${NFSGANESHA_DIR}" |
| |
| iptables -A INPUT -p tcp -s 100.115.92.0/24 --dport 2049 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| iptables -A INPUT -p tcp -s 100.115.92.0/24 --dport 2050 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| end script |
| |
| # -c 4CF provides NET_BIND_SERVICE(10), CAP_SETGID(6), CAP_SETUID(7), |
| # CAP_DAC_READ_SEARCH(2), CAP_DAV_OVERRIDE(1), CAP_FOWNER(3), CAP_CHOWN(0) |
| exec minijail0 -nplrvt \ |
| -c 4CF \ |
| -S /usr/share/policy/nfs-ganesha-seccomp.policy \ |
| --uts \ |
| -u ganesha -g ganesha \ |
| -P /var/empty \ |
| -b /,/ \ |
| -b /proc,/proc \ |
| -b /run/ganesha,/run,1 \ |
| -b /home/chronos/user/Downloads,/home/chronos/user,1 \ |
| -- /usr/bin/ganesha.nfsd \ |
| -L /run/ganesha.log \ |
| -p /run/ganesha.run \ |
| -f /run/ganesha.conf \ |
| -F -N NIV_NULL |
| |
| post-stop script |
| iptables -D INPUT -p tcp -s 100.115.92.0/24 --dport 2049 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| iptables -D INPUT -p tcp -s 100.115.92.0/24 --dport 2050 \ |
| -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -i vmtap+ |
| end script |