arc/adbd/init/arcvm-adbd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Run /system/bin/adbd (bridge)"
 author        "chromium-os-dev@chromium.org"

 start on starting arcvm-post-vm-start-services
 stop on stopping arcvm-post-vm-start-services

 # There is no point to have this service when the VM it talks to has
 # been killed in oom case, so the value should be higher than the VM
 # instance.
 oom score -100

 # The service will allocate some buffers.
 limit as 150000000 150000000

 env PIDFILE=/run/arc/adbd.pid
 env RUNTIME_DIR=/run/arc/adbd

 # The following environment variables are passed from Chrome.
 import SERIALNUMBER
 import ARCVM_CID

 pre-start script
   logger -t "${UPSTART_JOB}" "Pre-start arcvm-adbd"

   # Validity check against serial number is derived from Android CTS.
   if ! echo "${SERIALNUMBER}" | grep -q -E '^[0-9A-Za-z]{6,20}$'; then
     logger -t "${UPSTART_JOB}" "ERROR: Serial number is invalid."
     stop
     exit 0
   fi

   # Validity check cid of VM that is defined as unsigned integer.
   # In arc-adbd service the CID is for guest VM so it should start
   # from 3. (Refer to the man page of vsock)
   if ! echo "${ARCVM_CID}" | grep -q -E '^(([3-9])|([1-9][0-9]+))$'; then
     logger -t "${UPSTART_JOB}" "ERROR: CID of ARCVM is invalid."
     stop
     exit 0
   fi

   # Clean up a stale pid file if exists.
   if ! rm -f "${PIDFILE}"; then
     logger -t "${UPSTART_JOB}" "ERROR: Failed to remove ${PIDFILE}"
     stop
     exit 0
   fi
 end script

 script
   # Start constructing minijail0 args...
   args="minijail0"

   # Use a minimalistic mount namespace.
   args="${args} --profile minimalistic-mountns"

   # Enter a new mount namespace.
   args="${args} -v"

   # Enter a new PID namespace.
   args="${args} -p"

   # Skip remounting as private.
   args="${args} -K"

   # Enter a new IPC namespace.
   args="${args} -l"

   # Create PID file at $PIDFILE.
   args="${args} -f $PIDFILE"

   # Set up mount points.
   args="${args} -b /sys,/sys"
   args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"

   # Set up seccomp-bpf.
   args="${args} -S /usr/share/policy/arcvm-adbd-seccomp.policy"

   # Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
   # CAP_SYS_MODULE, CAP_SYS_ADMIN.
   args="${args} -n -c 210007 --ambient"

   # Finally, specify the command line arguments.
   args="${args} -- /usr/sbin/arc-adbd \
     --serialnumber=${SERIALNUMBER} \
     --arcvm_cid=${ARCVM_CID}"

   logger -t "${UPSTART_JOB}" "Executing: ${args}"
   exec ${args}
 end script

 post-stop script
   {
     echo "Post-stop arcvm-adbd"
     set +e -x

     # Perform best-effort unmounting of the bulk endpoints.
     umount --lazy "${RUNTIME_DIR}"/ep1
     umount --lazy "${RUNTIME_DIR}"/ep2
     exec rm -f "${RUNTIME_DIR}/"*
   } 2>&1 | logger -t "${UPSTART_JOB}"
 end script
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Run /system/bin/adbd (bridge)"
	author "chromium-os-dev@chromium.org"

	start on starting arcvm-post-vm-start-services
	stop on stopping arcvm-post-vm-start-services

	# There is no point to have this service when the VM it talks to has
	# been killed in oom case, so the value should be higher than the VM
	# instance.
	oom score -100

	# The service will allocate some buffers.
	limit as 150000000 150000000

	env PIDFILE=/run/arc/adbd.pid
	env RUNTIME_DIR=/run/arc/adbd

	# The following environment variables are passed from Chrome.
	import SERIALNUMBER
	import ARCVM_CID

	pre-start script
	logger -t "${UPSTART_JOB}" "Pre-start arcvm-adbd"

	# Validity check against serial number is derived from Android CTS.
	if ! echo "${SERIALNUMBER}" \| grep -q -E '^[0-9A-Za-z]{6,20}$'; then
	logger -t "${UPSTART_JOB}" "ERROR: Serial number is invalid."
	stop
	exit 0
	fi

	# Validity check cid of VM that is defined as unsigned integer.
	# In arc-adbd service the CID is for guest VM so it should start
	# from 3. (Refer to the man page of vsock)
	if ! echo "${ARCVM_CID}" \| grep -q -E '^(([3-9])\|([1-9][0-9]+))$'; then
	logger -t "${UPSTART_JOB}" "ERROR: CID of ARCVM is invalid."
	stop
	exit 0
	fi

	# Clean up a stale pid file if exists.
	if ! rm -f "${PIDFILE}"; then
	logger -t "${UPSTART_JOB}" "ERROR: Failed to remove ${PIDFILE}"
	stop
	exit 0
	fi
	end script

	script
	# Start constructing minijail0 args...
	args="minijail0"

	# Use a minimalistic mount namespace.
	args="${args} --profile minimalistic-mountns"

	# Enter a new mount namespace.
	args="${args} -v"

	# Enter a new PID namespace.
	args="${args} -p"

	# Skip remounting as private.
	args="${args} -K"

	# Enter a new IPC namespace.
	args="${args} -l"

	# Create PID file at $PIDFILE.
	args="${args} -f $PIDFILE"

	# Set up mount points.
	args="${args} -b /sys,/sys"
	args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"

	# Set up seccomp-bpf.
	args="${args} -S /usr/share/policy/arcvm-adbd-seccomp.policy"

	# Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
	# CAP_SYS_MODULE, CAP_SYS_ADMIN.
	args="${args} -n -c 210007 --ambient"

	# Finally, specify the command line arguments.
	args="${args} -- /usr/sbin/arc-adbd \
	--serialnumber=${SERIALNUMBER} \
	--arcvm_cid=${ARCVM_CID}"

	logger -t "${UPSTART_JOB}" "Executing: ${args}"
	exec ${args}
	end script

	post-stop script
	{
	echo "Post-stop arcvm-adbd"
	set +e -x

	# Perform best-effort unmounting of the bulk endpoints.
	umount --lazy "${RUNTIME_DIR}"/ep1
	umount --lazy "${RUNTIME_DIR}"/ep2
	exec rm -f "${RUNTIME_DIR}/"*
	} 2>&1 \| logger -t "${UPSTART_JOB}"
	end script