arc/adbd/init/arc-adbd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Run /system/bin/adbd in a container"
 author        "chromium-os-dev@chromium.org"

 # Note: Lifecycle of this job is managed by arc-setup job.
 stop on stop-arc-instance or stopping ui

 env LOGFILE=/var/log/arc-adbd.log
 env PIDFILE=/run/arc/adbd.pid
 env ADBD_ROOTFS_DIR=\
 /opt/google/containers/arc-adbd/mountpoints/container-root
 env RUNTIME_DIR=/run/arc/adbd
 env SHELL_UGID=657360

 # The following environment variables are passed from arc-setup.
 import SERIALNUMBER

 script
   {
     echo "Start arc-adbd"
     set -x

     # Clean up a stale pid file if exists.
     rm -f $PIDFILE
   } 2>&1 | logger -t "${UPSTART_JOB}"

   # check if we should setup adb for arcvm (default)
   no_arcvm=""
   if ! grep -qs "1" /run/chrome/is_arcvm; then
     no_arcvm="--noarcvm"
   fi

   # Start constructing minijail0 args...
   args="minijail0"

   # Use a minimalistic mount namespace.
   args="$args --profile minimalistic-mountns"

   # Enter a new mount namespace.
   args="$args -v"

   # Enter a new network namespace.
   args="$args -e"

   # Enter a new PID namespace.
   args="$args -p"

   # Skip remounting as private.
   args="$args -K"

   # Enter a new IPC namespace.
   args="$args -l"

   # Create PID file at $PIDFILE.
   args="$args -f $PIDFILE"

   # Set up mount points.
   args="$args -b /sys,/sys"
   args="$args -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"
   if [ -n "${no_arcvm}" ]; then
     args="$args -k /run/arc/adbd,/run/arc/adbd,none,0x1000" # MS_BIND
     args="$args -k none,/run/arc/adbd,none,0x100000" # MS_SHARED
   fi
   # Set up seccomp-bpf.
   args="$args -S /usr/share/policy/arc-adbd-seccomp.policy"

   # Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
   # CAP_SYS_MODULE, CAP_SYS_ADMIN.
   args="$args -n -c 210007 --ambient"

   # Finally, specify the command line arguments.
   args="$args -- /usr/sbin/arc-adbd --serialnumber=${SERIALNUMBER} ${no_arcvm}"

   logger -t "${UPSTART_JOB}" "Executing: $args"
   exec $args
 end script

 post-stop script
   {
     echo "Post-stop arc-adbd"
     set +e -x

     # Perform best-effort unmounting of the bulk endpoints.
     umount --lazy "${RUNTIME_DIR}"/ep1
     umount --lazy "${RUNTIME_DIR}"/ep2
     exec rm -f "${RUNTIME_DIR}/"*
   } 2>&1 | logger -t "${UPSTART_JOB}"
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Run /system/bin/adbd in a container"
	author "chromium-os-dev@chromium.org"

	# Note: Lifecycle of this job is managed by arc-setup job.
	stop on stop-arc-instance or stopping ui

	env LOGFILE=/var/log/arc-adbd.log
	env PIDFILE=/run/arc/adbd.pid
	env ADBD_ROOTFS_DIR=\
	/opt/google/containers/arc-adbd/mountpoints/container-root
	env RUNTIME_DIR=/run/arc/adbd
	env SHELL_UGID=657360

	# The following environment variables are passed from arc-setup.
	import SERIALNUMBER

	script
	{
	echo "Start arc-adbd"
	set -x

	# Clean up a stale pid file if exists.
	rm -f $PIDFILE
	} 2>&1 \| logger -t "${UPSTART_JOB}"

	# check if we should setup adb for arcvm (default)
	no_arcvm=""
	if ! grep -qs "1" /run/chrome/is_arcvm; then
	no_arcvm="--noarcvm"
	fi

	# Start constructing minijail0 args...
	args="minijail0"

	# Use a minimalistic mount namespace.
	args="$args --profile minimalistic-mountns"

	# Enter a new mount namespace.
	args="$args -v"

	# Enter a new network namespace.
	args="$args -e"

	# Enter a new PID namespace.
	args="$args -p"

	# Skip remounting as private.
	args="$args -K"

	# Enter a new IPC namespace.
	args="$args -l"

	# Create PID file at $PIDFILE.
	args="$args -f $PIDFILE"

	# Set up mount points.
	args="$args -b /sys,/sys"
	args="$args -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"
	if [ -n "${no_arcvm}" ]; then
	args="$args -k /run/arc/adbd,/run/arc/adbd,none,0x1000" # MS_BIND
	args="$args -k none,/run/arc/adbd,none,0x100000" # MS_SHARED
	fi
	# Set up seccomp-bpf.
	args="$args -S /usr/share/policy/arc-adbd-seccomp.policy"

	# Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
	# CAP_SYS_MODULE, CAP_SYS_ADMIN.
	args="$args -n -c 210007 --ambient"

	# Finally, specify the command line arguments.
	args="$args -- /usr/sbin/arc-adbd --serialnumber=${SERIALNUMBER} ${no_arcvm}"

	logger -t "${UPSTART_JOB}" "Executing: $args"
	exec $args
	end script

	post-stop script
	{
	echo "Post-stop arc-adbd"
	set +e -x

	# Perform best-effort unmounting of the bulk endpoints.
	umount --lazy "${RUNTIME_DIR}"/ep1
	umount --lazy "${RUNTIME_DIR}"/ep2
	exec rm -f "${RUNTIME_DIR}/"*
	} 2>&1 \| logger -t "${UPSTART_JOB}"
	end script