| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Android keymaster service in Chrome OS." |
| author "chromium-os-dev@chromium.org" |
| |
| start on start-arc-instance or starting arcvm-pre-login-services |
| stop on stop-arc-instance or stopping ui or stopping arcvm-pre-login-services |
| |
| script |
| logger -t "${UPSTART_JOB}" "Start arc-keymaster" |
| set -x |
| |
| # Initialize minijail0 arguments. |
| args="" |
| |
| # Enter new pid namespace (implies -vr). |
| # -v: Enter new mount namespace. |
| # -r: Remount /proc read-only. |
| args="$args -p" |
| # Enter a new cgroup namespace. |
| args="$args -N" |
| # Set no new privileges (no_new_privs). |
| args="$args -n" |
| # Enter a new UTS, IPC, and network namespace. |
| args="$args --uts -l -e" |
| # Set seccomp filter file. |
| args="$args -S /usr/share/policy/arc-keymasterd-seccomp.policy" |
| # Set user and group ids. |
| args="$args -u arc-keymasterd -g arc-keymasterd" |
| |
| # Mount /, /proc, /tmp, and a small /dev. |
| args="$args --profile minimalistic-mountns" |
| # Mount /run as a tmpfs so we can add more stuff to it. |
| args="$args -k tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M" |
| # Mount /run/lock in read-write mode, and /run/dbus in read-only. |
| args="$args -b /run/lock,,1" |
| args="$args -b /run/dbus" |
| |
| # Command to be executed in the minijail. |
| args="$args -- /usr/sbin/arc-keymasterd" |
| |
| logger -t "${UPSTART_JOB}" "Executing: minijail0 ${args}" |
| exec minijail0 $args |
| end script |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-keymaster" |