| # Copyright 2019 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Kerberos daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # The service is started by Chrome on demand. |
| stop on stopping ui |
| respawn |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| pre-start script |
| # Check if ui is still running before starting kerberosd. |
| # This is to prevent new dbus-activated instances from getting started once |
| # the system is beginning to shut down. |
| if ! initctl status ui | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| script |
| # Start constructing minijail0 args... |
| args="" |
| |
| # Make sure minijail0 exits right away and won't block upstart. |
| args="${args} -i" |
| |
| # Create a UTS namespace to isolate changes to the host / domain name. |
| args="${args} --uts" |
| |
| # Create a PID namespace (process won't see any other processes). |
| args="${args} -p" |
| |
| # Create an IPC namespace (isolate System V IPC objects/POSIX message queues). |
| args="${args} -l" |
| |
| # Remount /proc read-only (prevents any messing with it). |
| args="${args} -r" |
| |
| # Creates new, empty tmp directory (technically, mounts tmpfs). |
| args="${args} -t" |
| |
| # Prevent that execve gains privileges, required for seccomp filters. |
| args="${args} -n" |
| |
| # Apply seccomp policy. |
| args="${args} -S /usr/share/policy/kerberosd-seccomp.policy" |
| |
| # Use a minimalistic mount namespace. |
| args="${args} --profile minimalistic-mountns" |
| |
| # Mount /run as tmpfs read-only. |
| args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" |
| |
| # Bind-mount /run/dbus read-only for D-Bus to work. |
| args="${args} -b /run/dbus" |
| |
| # Bind-mount /run/shill read-only, required for mit-krb5 (for resolv.conf?). |
| args="${args} -b /run/shill" |
| |
| # Bind-mount /var read-only to enable the /var/lib/metrics mount below. |
| args="${args} -b /var" |
| |
| # Bind-mount /var/lib/metrics read-write to store UMA metrics. |
| args="${args} -b /var/lib/metrics,,1" |
| |
| # Bind-moung daemon store folder. Note that we assume that we're already in |
| # the session, so no need for -Kslave. |
| daemon_store="/run/daemon-store/kerberosd" |
| args="${args} -k ${daemon_store},${daemon_store},none,MS_BIND|MS_REC" |
| |
| # Keep CAP_SETUID to switch to kerberosd-exec. This is safe since |
| # setuid_restrictions/kerberosd_whitelist.txt restricts setuid. |
| args="${args} -c cap_setuid=e" |
| |
| # Run as kerberosd user and group. |
| args="${args} -u kerberosd -g kerberosd" |
| |
| # Inherit kerberosd's supplementary groups, in particular 'password-viewers' |
| # to read the login password. |
| args="${args} -G" |
| |
| # Execute kerberosd. |
| args="${args} /usr/sbin/kerberosd" |
| |
| # -e is not specified because the service needs to connect to servers. |
| |
| exec minijail0 ${args} |
| end script |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u kerberosd -g kerberosd /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.Kerberos |