| #!/bin/sh |
| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Run apk-cache-cleaner with minijail0. |
| # 656360 is an Android system UID/GID |
| |
| set -e |
| |
| # See src/platform2/arc/setup/arc_setup.cc for more info about these values. |
| SYSTEM_UID="656360" |
| SYSTEM_GID="656360" |
| |
| APK_CACHE_PATH=/mnt/stateful_partition/unencrypted/apkcache |
| if [ ! -d "${APK_CACHE_PATH}" ]; then |
| # If the APK cache directory does not exist, there's nothing to clean. |
| exit 0 |
| fi |
| |
| # Bind cache directory as writable. Add /var directory to follow /etc/localtime. |
| # Enter new pid and cgroup namespaces. Setting no new privileges. |
| # Restrict caps to 0. Entering new mount namespace, new UTS namespace, |
| # new IPC namespace and new network namespace. |
| exec minijail0 --profile minimalistic-mountns \ |
| -k 'none,/mnt,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=64k' \ |
| -b "${APK_CACHE_PATH},,1" \ |
| -k 'none,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=64k' \ |
| -b /var/lib/timezone \ |
| -p -N -n -c 0 -v -r --uts -l -e \ |
| -S /usr/share/policy/apk-cache-cleaner-seccomp.policy \ |
| -u "${SYSTEM_UID}" -g "${SYSTEM_GID}" -- /usr/sbin/apk-cache-cleaner |