| # Copyright 2019 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start camera GPU algorithm service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| oom score 600 |
| expect fork |
| respawn |
| respawn limit 10 5 |
| |
| env SECCOMP_POLICY_FILE=/usr/share/policy/cros-camera-gpu-algo.policy |
| |
| script |
| # Start constructing minijail0 args... |
| set -- |
| |
| # Enter a new mount, network, PID, IPC and cgroup namespace. |
| set -- "$@" -v -e -p -l -N |
| |
| # Change user and group to arc-camera. Need -G to inherit video group for GPU |
| # access. |
| set -- "$@" -u arc-camera -g arc-camera -G |
| |
| # Set -i to fork and daemonize an init-like process that Upstart will track |
| # as the service. |
| set -- "$@" -i |
| |
| # Chroot and mount /dev, /sys, /proc, /tmp and /run/camera. This service uses |
| # either /dev/mali0 (arm) or /dev/dri/* (amd64) for GPU access. |
| set -- "$@" -P /mnt/empty -b / -b /proc -b /dev -b /sys |
| if [ -c "/dev/mali0" ]; then |
| set -- "$@" -b /dev/mali0,,1 |
| fi |
| if [ -d "/dev/dri" ]; then |
| set -- "$@" -b /dev/dri,,1 |
| fi |
| set -- "$@" -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' |
| set -- "$@" -b /run/camera,,1 -b /run/systemd/journal -t |
| |
| # Mount /run/chromeos-config/v1 for access to chromeos-config. |
| set -- "$@" -b /run/chromeos-config/v1 |
| |
| # Assume static ELF binary to give arc-camera access to /proc/self. |
| set -- "$@" -Tstatic |
| |
| # Drop privileges and set seccomp filter. |
| set -- "$@" -n -S "${SECCOMP_POLICY_FILE}" |
| set -- "$@" -- /usr/bin/cros_camera_algo --type=gpu |
| |
| exec minijail0 "$@" |
| end script |
