| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Authpolicy daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # The service is started by Chrome via UpstartClient::StartAuthPolicyService(). |
| stop on stopping ui |
| respawn |
| |
| pre-start script |
| # Create a folder on encstateful where krb5_machine.keytab and config.dat are |
| # going to live. The group x access is required by the authpolicyd-exec user |
| # to access the keytab. config.dat is a private file of authpolicyd. All other |
| # files are written to /tmp which is created fresh for each authpolicyd |
| # invocation. (see -t option). |
| AUTHPOLICY_LIB_DIR=/var/lib/authpolicyd |
| mkdir -m 0710 -p "${AUTHPOLICY_LIB_DIR}" |
| chown -R authpolicyd:authpolicyd "${AUTHPOLICY_LIB_DIR}" |
| |
| # Create a folder in /run where the flags default level is stored. Files in |
| # /run are wiped on reboot, so that logging is reset on reboot and not |
| # permanently persisted for privacy and security reasons. |
| AUTHPOLICY_RUN_DIR=/run/authpolicyd |
| mkdir -m 0700 -p "${AUTHPOLICY_RUN_DIR}" |
| chown -R authpolicyd:authpolicyd "${AUTHPOLICY_RUN_DIR}" |
| end script |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| # -i makes sure minijail0 exits right away and won't block upstart. |
| # -p creates PID namespace (process won't see any other processes). |
| # -l creates IPC namespace (isolates System V IPC objects/POSIX message queues). |
| # -r remounts /proc read-only (prevents any messing with it). |
| # -v enters new mount namespace, allows to change mounts inside jail. |
| # -t creates new, empty tmp directory (technically, mounts tmpfs). |
| # -n prevents that execve gains privileges, required for seccomp filters. |
| # -c 180 sets the CAP_SETPCAP and CAP_SETUID capabilities to drop capabilities |
| # from the bounding set resp. to change user (we switch to authpolicyd-exec |
| # internally when running Samba code or parsing data). |
| # -P creates a pivot_root at the target folder. |
| # -b /,/ mounts dev/root read-only. |
| # -b /run,/run and -b /var,/var mount read-only, required for D-Bus. |
| # -b /dev,/dev and -b /sys,/sys are required for net ads join to work. |
| # -b /var/lib/authpolicyd,/tmp/var_lib_authpolicyd,1 mounts read-write to store |
| # authpolicyd state. |
| # -b /var/lib/metrics,/var/lib/metrics,1 mounts read-write to store UMA metrics. |
| # -u authpolicyd changes user. |
| # -g authpolicyd changes group. |
| # -e is not specified because the service needs to connect to an AD server to |
| # join a domain, authenticate users and fetch user and device policies. |
| exec minijail0 -i -p -l -r -v -t -n -c 180 -P /tmp/authpolicyd_chroot -b /,/ \ |
| -b /dev,/dev -b /sys,/sys -b /run,/run -b /var,/var \ |
| -b /run/authpolicyd,/run/authpolicyd,1 \ |
| -b /var/lib/authpolicyd,/var/lib/authpolicyd,1 \ |
| -b /var/lib/metrics,/var/lib/metrics,1 \ |
| -u authpolicyd -g authpolicyd \ |
| /usr/sbin/authpolicyd |
| |
| # TO TEST: |
| # - Run without exec |
| # - Remove -t (so test code can read files form there), and add -b /tmp,/tmp,1 |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u authpolicyd -g authpolicyd /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.AuthPolicy |