| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chrome OS Optical Character Recognition (OCR) Service" |
| author "chromium-os-dev@chromium.org" |
| |
| # This service is started by D-Bus service activation through |
| # org.chromium.OpticalCharacterRecognition.service |
| stop on stopping ui |
| |
| # Minijail forks off the desired process and exits after forking. |
| expect fork |
| |
| pre-start script |
| # Check if UI is still running before starting ocr_service. |
| # This is to prevent new dbus-activated instances from getting |
| # started once the system is beginning to shut down. |
| if ! initctl status ui | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # Used jailing parameters: |
| # -e: enter new network namespace (for process that |
| # doesn't need network access); |
| # -i: minijail0 exits right after forking. |
| # -l: new IPC namespace (isolates IPC resources). |
| # -n: set no new privileges (no_new_privs bit). |
| # -p: Enter new pid namespace (implies -vr). |
| # -r: remount /proc read-only. |
| # -v: enter new mount namespace. |
| # --profile=minimalistic-mountns: Enables mount and process namespace |
| # which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs). |
| # -u: change userid to <user> |
| # -g: change gid to <group> |
| # -G: inherit supplementary groups from new uid. |
| # --uts: enters new UTS namespace. It makes changes to the host/domain |
| # name not affect the rest of the system. |
| # -k: regular mount (source, target, filesystemtype, mountflags, data) |
| # -b /run/dbus: mount /run/dbus to be able to communicate with D-bus. |
| exec minijail0 -e -i -l -n -p --uts \ |
| -u ocr_service -g ocr_service -G \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -- /usr/bin/ocr_service |
| |
| post-start exec minijail0 -u ocr_service -g ocr_service /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.OpticalCharacterRecognition |