Google Git
Sign in
cos/mirrors/cros/chromiumos/overlays/eclass-overlay/251d37017b1c329a957573556168481d041e1520^!/.
commit
251d37017b1c329a957573556168481d041e1520
[log]
author
Clark Chung <clarkchung@google.com>
Thu Mar 05 12:30:36 2020 +0800
committer
Commit Bot <commit-bot@chromium.org>
Fri Mar 06 23:41:56 2020 +0000
tree
7cc782a9a0feae33e94657b6dc1ba83de98c9120
parent
e13bdc96dd67549a44829a34ec80c1dda369b287 [diff]
hardware_verifier: add user and group entries.

In order to limit the capabilities while calling hardware_verifier
binary at upstart job, we add hardware_verifier user/group and invoke
binary with minijail.

BUG=b:147654337
TEST=emerge-$BOARD hardware_verifier

Change-Id: Iaf9baab810749a11440368fc95cc7e7df17145e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/eclass-overlay/+/2087555
Reviewed-by: Stimim Chen <stimim@chromium.org>
Reviewed-by: Chun-ta Lin (ping on chat if not responsive) <itspeter@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Chun-ta Lin (ping on chat if not responsive) <itspeter@chromium.org>
Commit-Queue: Clark Chung <ckclark@chromium.org>

diff --git a/profiles/base/accounts/group/hardware_verifier b/profiles/base/accounts/group/hardware_verifier
new file mode 100644
index 0000000..ad88e19
--- /dev/null
+++ b/profiles/base/accounts/group/hardware_verifier

@@ -0,0 +1,3 @@
+group:hardware_verifier
+gid:417
+users:hardware_verifier

diff --git a/profiles/base/accounts/user/hardware_verifier b/profiles/base/accounts/user/hardware_verifier
new file mode 100644
index 0000000..26b39ce
--- /dev/null
+++ b/profiles/base/accounts/user/hardware_verifier

@@ -0,0 +1,6 @@
+user:hardware_verifier
+uid:417
+gid:417
+gecos:standalone user for running hardware_verifier binary minijailed
+home:/dev/null
+shell:/bin/false