arc/adbd/init/arc-adbd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Run /system/bin/adbd in a container"
 author        "chromium-os-dev@chromium.org"

 # Note: Lifecycle of this job is managed by arc-setup job.
 stop on stop-arc-instance or stopping ui

 env PIDFILE=/run/arc/adbd.pid
 env RUNTIME_DIR=/run/arc/adbd

 # The following environment variables are passed from arc-setup.
 import SERIALNUMBER

 pre-start script
   logger -t "${UPSTART_JOB}" "Pre-start arc-adbd"

   # Validity check against serial number is derived from Android CTS.
   if ! echo "${SERIALNUMBER}" | grep -q -E '^[0-9A-Za-z]{6,20}$'; then
     logger -t "${UPSTART_JOB}" "ERROR: Serial number is invalid."
     stop
     exit 0
   fi

   # Clean up a stale pid file if exists.
   if ! rm -f "${PIDFILE}"; then
     logger -t "${UPSTART_JOB}" "ERROR: Failed to remove ${PIDFILE}"
     stop
     exit 0
   fi
 end script

 script
   # Start constructing minijail0 args...
   args="minijail0"

   # Use a minimalistic mount namespace.
   args="${args} --profile minimalistic-mountns"

   # Enter a new mount namespace.
   args="${args} -v"

   # Enter a new network namespace.
   args="${args} -e"

   # Enter a new PID namespace.
   args="${args} -p"

   # Skip remounting as private.
   args="${args} -K"

   # Enter a new IPC namespace.
   args="${args} -l"

   # Create PID file at $PIDFILE.
   args="${args} -f $PIDFILE"

   # Set up mount points.
   args="${args} -b /sys,/sys"
   args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"
   args="${args} -k /run/arc/adbd,/run/arc/adbd,none,0x1000" # MS_BIND
   args="${args} -k none,/run/arc/adbd,none,0x100000" # MS_SHARED

   # Set up seccomp-bpf.
   args="${args} -S /usr/share/policy/arc-adbd-seccomp.policy"

   # Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
   # CAP_SYS_MODULE, CAP_SYS_ADMIN.
   args="${args} -n -c 210007 --ambient"

   # Finally, specify the command line arguments.
   args="${args} -- /usr/sbin/arc-adbd --serialnumber=${SERIALNUMBER} --noarcvm"

   logger -t "${UPSTART_JOB}" "Executing: ${args}"
   exec ${args}
 end script

 post-stop script
   {
     echo "Post-stop arc-adbd"
     set +e -x

     # Perform best-effort unmounting of the bulk endpoints.
     umount --lazy "${RUNTIME_DIR}"/ep1
     umount --lazy "${RUNTIME_DIR}"/ep2
     exec rm -f "${RUNTIME_DIR}/"*
   } 2>&1 | logger -t "${UPSTART_JOB}"
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Run /system/bin/adbd in a container"
	author "chromium-os-dev@chromium.org"

	# Note: Lifecycle of this job is managed by arc-setup job.
	stop on stop-arc-instance or stopping ui

	env PIDFILE=/run/arc/adbd.pid
	env RUNTIME_DIR=/run/arc/adbd

	# The following environment variables are passed from arc-setup.
	import SERIALNUMBER

	pre-start script
	logger -t "${UPSTART_JOB}" "Pre-start arc-adbd"

	# Validity check against serial number is derived from Android CTS.
	if ! echo "${SERIALNUMBER}" \| grep -q -E '^[0-9A-Za-z]{6,20}$'; then
	logger -t "${UPSTART_JOB}" "ERROR: Serial number is invalid."
	stop
	exit 0
	fi

	# Clean up a stale pid file if exists.
	if ! rm -f "${PIDFILE}"; then
	logger -t "${UPSTART_JOB}" "ERROR: Failed to remove ${PIDFILE}"
	stop
	exit 0
	fi
	end script

	script
	# Start constructing minijail0 args...
	args="minijail0"

	# Use a minimalistic mount namespace.
	args="${args} --profile minimalistic-mountns"

	# Enter a new mount namespace.
	args="${args} -v"

	# Enter a new network namespace.
	args="${args} -e"

	# Enter a new PID namespace.
	args="${args} -p"

	# Skip remounting as private.
	args="${args} -K"

	# Enter a new IPC namespace.
	args="${args} -l"

	# Create PID file at $PIDFILE.
	args="${args} -f $PIDFILE"

	# Set up mount points.
	args="${args} -b /sys,/sys"
	args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"
	args="${args} -k /run/arc/adbd,/run/arc/adbd,none,0x1000" # MS_BIND
	args="${args} -k none,/run/arc/adbd,none,0x100000" # MS_SHARED

	# Set up seccomp-bpf.
	args="${args} -S /usr/share/policy/arc-adbd-seccomp.policy"

	# Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
	# CAP_SYS_MODULE, CAP_SYS_ADMIN.
	args="${args} -n -c 210007 --ambient"

	# Finally, specify the command line arguments.
	args="${args} -- /usr/sbin/arc-adbd --serialnumber=${SERIALNUMBER} --noarcvm"

	logger -t "${UPSTART_JOB}" "Executing: ${args}"
	exec ${args}
	end script

	post-stop script
	{
	echo "Post-stop arc-adbd"
	set +e -x

	# Perform best-effort unmounting of the bulk endpoints.
	umount --lazy "${RUNTIME_DIR}"/ep1
	umount --lazy "${RUNTIME_DIR}"/ep2
	exec rm -f "${RUNTIME_DIR}/"*
	} 2>&1 \| logger -t "${UPSTART_JOB}"
	end script