| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Starts bootlockbox daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services and started tpm_managerd |
| stop on stopping boot-services |
| |
| respawn |
| |
| pre-start script |
| LOCKBOX_DIR="/var/lib/bootlockbox" |
| mkdir -p -m 0755 "${LOCKBOX_DIR}" |
| chown -R bootlockboxd:bootlockboxd "${LOCKBOX_DIR}" |
| end script |
| |
| expect fork |
| exec minijail0 -i -n -p --uts -l \ |
| --profile minimalistic-mountns \ |
| -b /dev/log \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /var/lib/bootlockbox,,1 \ |
| -u bootlockboxd -g bootlockboxd \ |
| -S /usr/share/policy/bootlockboxd-seccomp.policy \ |
| -- /usr/sbin/bootlockboxd |