| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "SmbProvider daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # This is started by D-Bus service activation through |
| # org.chromium.SmbProvider.service |
| stop on stopping ui |
| respawn |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| pre-start script |
| # Check if ui is still running before starting smbproviderd. |
| # This is to prevent new dbus-activated instances from getting started once |
| # the system is beginning to shut down. |
| if ! initctl status ui | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # -i makes sure minijail0 exits right away. |
| # -p Enter a new PID namespace and run the process as init (pid=1). |
| # -I Runs program as init inside a new pid namespace. |
| # -l Enter a new IPC namespace. |
| # --uts Enters a new UTS namespace. |
| # --profile=minimalistic-mountns Mount namespace with basic mounts |
| # includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs) |
| # -k tmpfs,/run,tmpfs Empty tmpfs for /run |
| # -b /run/dbus bind in for dbus communication |
| # -b /run/shill For /etc/resolv.conf |
| # -b /run/lockbox Needed to access "install attributes" |
| # -k /run/daemon-store... Needed to access saved passwords |
| # -S Apply seccomp filters. |
| # --mount-dev Creates a new /dev with a minimal set of nodes. |
| # -b Binds <src> to <dest> in chroot. |
| # -u Run as smbproviderd user. |
| # -g Run as smbproviderd group. |
| exec minijail0 \ |
| -i \ |
| -p \ |
| -I \ |
| -l \ |
| --uts \ |
| --profile=minimalistic-mountns \ |
| -k tmpfs,/run,tmpfs \ |
| -b /run/dbus \ |
| -b /run/shill \ |
| -b /run/lockbox \ |
| -k '/run/daemon-store/smbproviderd,/run/daemon-store/smbproviderd,\ |
| none,MS_BIND|MS_REC' \ |
| -S /usr/share/policy/smbprovider-seccomp.policy \ |
| -u smbproviderd -g smbproviderd \ |
| /usr/sbin/smbproviderd |
| |
| post-start exec minijail0 -u smbproviderd -g smbproviderd /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.SmbProvider |