system-proxy/init/system-proxy.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "System-proxy daemon"
 author          "chromium-os-dev@chromium.org"

 # The service is started by Chrome on demand.
 stop on stopping ui
 respawn
 respawn limit 3 5

 # Do not respawn if the service is terminated on purpose.
 normal exit 0

 # Sacrifice before OOM panic.
 oom score 0
 # TODO (acostinas, crbug.com/1045862) Add virtual memory size limit after
 # run-time analysis.

 # Minijail actually forks off the desired process.
 expect fork

 pre-start script
   # Check if ui is still running before starting the system proxy daemon.
   # This is to prevent new dbus-activated instances from getting started once
   # the system is beginning to shut down.
   if ! initctl status ui | grep -q running; then
     stop
     exit 0
   fi
 end script

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a UTS namespace to isolate changes to the host / domain name.
   args="${args} --uts"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Remount /proc read-only (prevents any messing with it).
   args="${args} -r"

   # Creates new, empty tmp directory (technically, mounts tmpfs).
   args="${args} -t"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   # Apply seccomp policy.
   args="${args} -S /usr/share/policy/system-proxy-seccomp.policy"

   # Use a minimalistic mount namespace.
   args="${args} --profile minimalistic-mountns"

   # Mount /run as tmpfs read-only.
   args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"

   # Bind-mount /run/dbus read-only for D-Bus to work.
   args="${args} -b /run/dbus"

   # Bind-mount /sbin read-only to start sandboxed processes using minijail0.
   args="${args} -b /sbin"

   # Bind-mount /run/shill for DNS resolution.
   args="${args} -b /run/shill"

   # Run as system-proxy user and group.
   args="${args} -u system-proxy -g system-proxy"

   # Inherit system-proxy's supplementary groups, in particular
   # 'password-viewers' to read the login password.
   args="${args} -G"

   # Run with root permissions so that the daemon can start sandboxed processes.
   args="${args} -c cap_sys_admin=e"

   # Execute system-proxy.
   args="${args} /usr/sbin/system_proxy"

   # -e is not specified because the service needs to connect to servers.

   exec minijail0 ${args}
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u system-proxy -g system-proxy /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.SystemProxy
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "System-proxy daemon"
	author "chromium-os-dev@chromium.org"

	# The service is started by Chrome on demand.
	stop on stopping ui
	respawn
	respawn limit 3 5

	# Do not respawn if the service is terminated on purpose.
	normal exit 0

	# Sacrifice before OOM panic.
	oom score 0
	# TODO (acostinas, crbug.com/1045862) Add virtual memory size limit after
	# run-time analysis.

	# Minijail actually forks off the desired process.
	expect fork

	pre-start script
	# Check if ui is still running before starting the system proxy daemon.
	# This is to prevent new dbus-activated instances from getting started once
	# the system is beginning to shut down.
	if ! initctl status ui \| grep -q running; then
	stop
	exit 0
	fi
	end script

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a UTS namespace to isolate changes to the host / domain name.
	args="${args} --uts"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Remount /proc read-only (prevents any messing with it).
	args="${args} -r"

	# Creates new, empty tmp directory (technically, mounts tmpfs).
	args="${args} -t"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	# Apply seccomp policy.
	args="${args} -S /usr/share/policy/system-proxy-seccomp.policy"

	# Use a minimalistic mount namespace.
	args="${args} --profile minimalistic-mountns"

	# Mount /run as tmpfs read-only.
	args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"

	# Bind-mount /run/dbus read-only for D-Bus to work.
	args="${args} -b /run/dbus"

	# Bind-mount /sbin read-only to start sandboxed processes using minijail0.
	args="${args} -b /sbin"

	# Bind-mount /run/shill for DNS resolution.
	args="${args} -b /run/shill"

	# Run as system-proxy user and group.
	args="${args} -u system-proxy -g system-proxy"

	# Inherit system-proxy's supplementary groups, in particular
	# 'password-viewers' to read the login password.
	args="${args} -G"

	# Run with root permissions so that the daemon can start sandboxed processes.
	args="${args} -c cap_sys_admin=e"

	# Execute system-proxy.
	args="${args} /usr/sbin/system_proxy"

	# -e is not specified because the service needs to connect to servers.

	exec minijail0 ${args}
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u system-proxy -g system-proxy /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.SystemProxy