blob: 078f470488bd8f1d640fa9e124b3412ab1404589 [file] [log] [blame]
# Copyright 2020 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Start arc-data-snapshotd daemon in Chrome OS."
author ""
# Chrome browser manages a lifetime of arc-data-snapshotd daemon via upstart.
# The daemon is responsible for ARC snapshot of data/ directory management.
stop on stopping ui
# Killable for memory leaks.
oom score -100
# If the job respawns 3 times in 10 seconds, stop trying.
respawn limit 3 10
env SNAPSHOT_DIR=/mnt/stateful_partition/unencrypted/arc-data-snapshot
pre-start script
mkdir -p -m 755 "${SNAPSHOT_DIR}"
chown -R arc-data-snapshotd:arc-data-snapshotd "${SNAPSHOT_DIR}"
end script
# Used jailing parameters:
# -e: new network namespace;
# -l: new IPC namespace;
# -n: the no_new_privs bit;
# -p: new PID namespace;
# -t: a new tmpfs filesystem for /tmp;
# -v: new VFS namespace;
# --uts: new UTS/hostname namespace;
# -u, -g: user account and group;
# --profile: minimalistic mount namespace;
# -k /mnt: a new tmpfs filesystem for /run, with the subsequent parameters
# mounting specific files into this directory;
# -k /run: a new tmpfs filesystem for /run, with the subsequent parameters
# mounting specific files into this directory;
# -b /run/dbus: shared socket file for talking with the D-Bus daemon;
# -b /mnt/stateful_partition/unencrypted/arc-data-snapshot: arc data snapshot
# directory;
# -b /opt/google/containers/android/rootfs/android-data: bind mounted
# android-data directory;
# -S: apply seccomp filters.
logger -t "${UPSTART_JOB}" "Start arc-data-snapshotd"
set -x
exec minijail0 -e -l -n -p -t -v --uts \
-u arc-data-snapshotd -g arc-data-snapshotd \
--profile=minimalistic-mountns \
-k 'tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
-k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
-b /run/dbus \
-b "${SNAPSHOT_DIR}" \
-b /opt/google/containers/android/rootfs/android-data \
-S /usr/share/policy/arc-data-snapshotd-seccomp.policy \
-- /usr/bin/arc-data-snapshotd
end script
# Wait for daemon to claim its D-Bus name before transitioning to started.
post-start exec minijail0 -u arc-data-snapshotd -g arc-data-snapshotd \
/usr/bin/gdbus wait --system --timeout 15 org.chromium.ArcDataSnapshotd
post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-data-snapshotd"