| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Run /system/bin/sdcard in a container" |
| author "chromium-os-dev@chromium.org" |
| |
| # This job is started via arc-boot-continue.conf. |
| # This job is stopped via arc-lifetime.conf. |
| |
| # Unused, but to be compliant with sdcardfs upstart script. |
| import CONTAINER_PID |
| |
| env PIDFILE=/run/arc/sdcard.pid |
| env ANDROID_ROOTFS_DIR=/opt/google/containers/android/rootfs/root |
| env ANDROID_MUTABLE_SOURCE=/opt/google/containers/android/rootfs/android-data |
| env SDCARD_ROOTFS_DIR=\ |
| /opt/google/containers/arc-sdcard/mountpoints/container-root |
| env SDCARD_MOUNT_DIR=/run/arc/sdcard |
| |
| env ROOT_UID=655360 |
| env SDCARD_UID=656383 |
| |
| # Clean up a stale pid file if it exists. |
| pre-start exec rm -f $PIDFILE |
| |
| # Note: $SDCARD_MOUNT_DIR/... and $ANDROID_MUTABLE_SOURCE/data/... |
| # (including /data/media) should have been properly initialized. |
| |
| # syslog-cat is used to redirect stdio from sdcard to journald for logging |
| # minijail will exit after forking into PID namespace and upstart tracks root |
| # of PID namespace |
| # -T static because mounts prevent minijail detecting that binary is static |
| # TODO(ereth): replace 0x44000 for the / dir mount with MS_REC|MS_PRIVATE once |
| # minijail accepts this combination of flags |
| expect fork |
| exec /usr/sbin/syslog-cat --identifier="${UPSTART_JOB}" -- \ |
| capsh --drop=CAP_BLOCK_SUSPEND,CAP_WAKE_ALARM,CAP_SYS_BOOT \ |
| -- -c "exec minijail0 \ |
| -P $SDCARD_ROOTFS_DIR \ |
| -e -p -v -l -K -i \ |
| -a android \ |
| -f $PIDFILE \ |
| -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b $ANDROID_ROOTFS_DIR/system/bin/sdcard,/system/bin/sdcard \ |
| -b $ANDROID_MUTABLE_SOURCE/data,/data,1 \ |
| -b /home/chronos/user/Downloads,/Downloads,1 \ |
| -k none,/,none,0x44000 \ |
| -b $SDCARD_MOUNT_DIR,/mnt/runtime,1 \ |
| -k 'none,/mnt/runtime,none,MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT' \ |
| -T static \ |
| -- /system/bin/sdcard -u $SDCARD_UID -g $SDCARD_UID \ |
| -m -w /data/media emulated" |
| |
| post-stop exec /usr/sbin/arc-setup --mode=unmount-sdcard \ |
| "--log_tag=${UPSTART_JOB}" |