oobe_config/etc/init/oobe_config_restore.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "OOBE Config Restore daemon"
 author          "chromium-os-dev@chromium.org"

 # NOTE: The ebuild will erase the "and started tcsd" part for TPM2 devices.
 start on started boot-services and started tcsd
 stop on stopping boot-services

 # 32MByte RLIMIT_MEMLOCK, this is required because oobe_config_restore uses
 # SecureBlob to store owner key, install attributes and shill default profile,
 # and SecureBlob uses mlock().
 limit memlock 33554432 33554432

 pre-start script
   mkdir -m 700 -p /var/lib/oobe_config_restore
   chown oobe_config_restore:oobe_config_restore /var/lib/oobe_config_restore

   # If OOBE is already completed then don't start the service.
   if [ -f "/home/chronos/.oobe_completed" ]; then
     stop
   fi

   if [ -d "/mnt/stateful_partition/unencrypted/oobe_auto_config" ]; then
     /usr/sbin/store_usb_oobe_config
   fi
 end script

 # Minijail actually forks off the desired process.
 expect fork

 # --profile=minimalistic-mountns Set up a minimalistic mount namespace
 # -i makes sure minijail0 exits right away.
 # -p Enter a new PID namespace and run the process as init (pid=1).
 # -I Runs program as init inside a new pid namespace.
 # -l Enter a new IPC namespace.
 # --uts Enters a new UTS namespace.
 # -n Sets the no_new_privs bit.
 # -S Apply seccomp filters.
 # -b Binds /dev/log to /dev/log in chroot.
 # -u Run as oobe_config_restore user.
 # -g Run as oobe_config_restore group.

 # TODO(zentaro): Add secomp filters when implementation is done.
 # NOTE: The ebuild erases the "-b /run/tcsd" line on TPM2 devices.
 exec minijail0 \
     --profile=minimalistic-mountns \
     -i \
     -p -I \
     -l \
     --uts \
     -n \
     -b /dev/log \
     -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /run/dbus \
     -b /run/tcsd \
     -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /var/lib/metrics,,1 \
     -b /var/lib/oobe_config_restore,,1 \
     -k '/mnt/stateful_partition,/mnt/stateful_partition,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /mnt/stateful_partition/unencrypted/preserve \
     -u oobe_config_restore -g oobe_config_restore \
     -G \
     -S /usr/share/policy/oobe_config_restore-seccomp.policy \
     /usr/sbin/oobe_config_restore

 post-start exec minijail0 -u oobe_config_restore -g oobe_config_restore \
     /usr/bin/gdbus wait --system --timeout 15 org.chromium.OobeConfigRestore
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "OOBE Config Restore daemon"
	author "chromium-os-dev@chromium.org"

	# NOTE: The ebuild will erase the "and started tcsd" part for TPM2 devices.
	start on started boot-services and started tcsd
	stop on stopping boot-services

	# 32MByte RLIMIT_MEMLOCK, this is required because oobe_config_restore uses
	# SecureBlob to store owner key, install attributes and shill default profile,
	# and SecureBlob uses mlock().
	limit memlock 33554432 33554432

	pre-start script
	mkdir -m 700 -p /var/lib/oobe_config_restore
	chown oobe_config_restore:oobe_config_restore /var/lib/oobe_config_restore

	# If OOBE is already completed then don't start the service.
	if [ -f "/home/chronos/.oobe_completed" ]; then
	stop
	fi

	if [ -d "/mnt/stateful_partition/unencrypted/oobe_auto_config" ]; then
	/usr/sbin/store_usb_oobe_config
	fi
	end script

	# Minijail actually forks off the desired process.
	expect fork

	# --profile=minimalistic-mountns Set up a minimalistic mount namespace
	# -i makes sure minijail0 exits right away.
	# -p Enter a new PID namespace and run the process as init (pid=1).
	# -I Runs program as init inside a new pid namespace.
	# -l Enter a new IPC namespace.
	# --uts Enters a new UTS namespace.
	# -n Sets the no_new_privs bit.
	# -S Apply seccomp filters.
	# -b Binds /dev/log to /dev/log in chroot.
	# -u Run as oobe_config_restore user.
	# -g Run as oobe_config_restore group.

	# TODO(zentaro): Add secomp filters when implementation is done.
	# NOTE: The ebuild erases the "-b /run/tcsd" line on TPM2 devices.
	exec minijail0 \
	--profile=minimalistic-mountns \
	-i \
	-p -I \
	-l \
	--uts \
	-n \
	-b /dev/log \
	-k '/run,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /run/dbus \
	-b /run/tcsd \
	-k '/var,/var,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /var/lib/metrics,,1 \
	-b /var/lib/oobe_config_restore,,1 \
	-k '/mnt/stateful_partition,/mnt/stateful_partition,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /mnt/stateful_partition/unencrypted/preserve \
	-u oobe_config_restore -g oobe_config_restore \
	-G \
	-S /usr/share/policy/oobe_config_restore-seccomp.policy \
	/usr/sbin/oobe_config_restore

	post-start exec minijail0 -u oobe_config_restore -g oobe_config_restore \
	/usr/bin/gdbus wait --system --timeout 15 org.chromium.OobeConfigRestore