u2fd/init/u2fd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2017 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start the U2FHID emulation daemon"
 author        "chromium-os-dev@chromium.org"

 # TODO(crbug.com/770150) also start on device policy creation/update for OOBE.
 start on started system-services and started trunksd
 stop on stopping system-services
 respawn
 # if the job respawns 3 times in 10 seconds, stop trying.
 respawn limit 3 10
 # Do not respawn if we exited on purpose (e.g. service disabled).
 normal exit 0

 # Directory containing (u2f|g2f|verbose).force files.
 env FORCE_DIR=/var/lib/u2f/force

 pre-start script
   mkdir -p /var/lib/whitelist
   # Settings override.
   mkdir -p -m 0700 "${FORCE_DIR}"
 end script

 # -e creates Network namespace.
 # -p creates PID namespace.
 # -l creates IPC namespace.
 # -r remounts /proc read-only.
 # -v enters new mount namespace (allows to change mounts inside jail).
 # -n prevents that execve gains privileges.
 # --uts creates a new UTS namespace.
 # -c 0 don't need any capability.
 # -P creates a pivot_root at the target folder.
 # -b /,/ mounts / read-only.
 # -b /run,/run mount read-only, required for D-Bus.
 # -b /dev,/dev required to access /dev/uhid.
 # -b ...,/var to read device policies from /var/lib/whitelist/policy.
 # -u u2f change user.
 # -G inherit u2f supplementary groups (ie policy-readers)
 # -g bluetooth change group to access /dev/uhid.
 script
   force_enabled() {
     [ -f "${FORCE_DIR}/$1.force" ]
   }

   ARGS=""
   force_enabled u2f && ARGS="${ARGS} --force_u2f"
   force_enabled g2f && ARGS="${ARGS} --force_g2f"
   force_enabled user_keys && ARGS="${ARGS} --user_keys"
   force_enabled allowlist_data && ARGS="${ARGS} --g2f_allowlist_data"
   force_enabled verbose && ARGS="${ARGS} --verbose"

   # u2fd needs access /dev/uhid to create a new virtual USBHID device.
   exec minijail0 -e -p -l -r -v -n --uts -c 0 -Kslave                \
                --profile=minimalistic-mountns                        \
                -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC'    \
                -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC'    \
                -k '/run/daemon-store/u2f,/run/daemon-store/u2f,none,MS_BIND|MS_REC'  \
                -b /dev/uhid                                          \
                -b /run/dbus                                          \
                -b /var/lib/whitelist                                 \
                -b /var/lib/metrics,,1                                \
                -u u2f -G -g bluetooth -- /usr/bin/u2fd ${ARGS}
 end script
	# Copyright 2017 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the U2FHID emulation daemon"
	author "chromium-os-dev@chromium.org"

	# TODO(crbug.com/770150) also start on device policy creation/update for OOBE.
	start on started system-services and started trunksd
	stop on stopping system-services
	respawn
	# if the job respawns 3 times in 10 seconds, stop trying.
	respawn limit 3 10
	# Do not respawn if we exited on purpose (e.g. service disabled).
	normal exit 0

	# Directory containing (u2f\|g2f\|verbose).force files.
	env FORCE_DIR=/var/lib/u2f/force

	pre-start script
	mkdir -p /var/lib/whitelist
	# Settings override.
	mkdir -p -m 0700 "${FORCE_DIR}"
	end script

	# -e creates Network namespace.
	# -p creates PID namespace.
	# -l creates IPC namespace.
	# -r remounts /proc read-only.
	# -v enters new mount namespace (allows to change mounts inside jail).
	# -n prevents that execve gains privileges.
	# --uts creates a new UTS namespace.
	# -c 0 don't need any capability.
	# -P creates a pivot_root at the target folder.
	# -b /,/ mounts / read-only.
	# -b /run,/run mount read-only, required for D-Bus.
	# -b /dev,/dev required to access /dev/uhid.
	# -b ...,/var to read device policies from /var/lib/whitelist/policy.
	# -u u2f change user.
	# -G inherit u2f supplementary groups (ie policy-readers)
	# -g bluetooth change group to access /dev/uhid.
	script
	force_enabled() {
	[ -f "${FORCE_DIR}/$1.force" ]
	}

	ARGS=""
	force_enabled u2f && ARGS="${ARGS} --force_u2f"
	force_enabled g2f && ARGS="${ARGS} --force_g2f"
	force_enabled user_keys && ARGS="${ARGS} --user_keys"
	force_enabled allowlist_data && ARGS="${ARGS} --g2f_allowlist_data"
	force_enabled verbose && ARGS="${ARGS} --verbose"

	# u2fd needs access /dev/uhid to create a new virtual USBHID device.
	exec minijail0 -e -p -l -r -v -n --uts -c 0 -Kslave \
	--profile=minimalistic-mountns \
	-k 'tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k 'tmpfs,/var,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k '/run/daemon-store/u2f,/run/daemon-store/u2f,none,MS_BIND\|MS_REC' \
	-b /dev/uhid \
	-b /run/dbus \
	-b /var/lib/whitelist \
	-b /var/lib/metrics,,1 \
	-u u2f -G -g bluetooth -- /usr/bin/u2fd ${ARGS}
	end script