| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Run /system/bin/adbd (bridge)" |
| author "chromium-os-dev@chromium.org" |
| |
| # Note: Lifecycle of this job is managed by arc-setup job. |
| stop on stop-arc-instance or stopping ui |
| |
| # There is no point to have this service when the VM it talks to has |
| # been killed in oom case, so the value should be higher than the VM |
| # instance. |
| oom score -100 |
| |
| # The service will allocate some buffers. |
| limit as 150000000 150000000 |
| |
| env PIDFILE=/run/arc/adbd.pid |
| env RUNTIME_DIR=/run/arc/adbd |
| |
| # The following environment variables are passed from arc-setup. |
| import SERIALNUMBER |
| |
| script |
| { |
| echo "Start arc-adbd" |
| set -x |
| |
| # Clean up a stale pid file if exists. |
| rm -f "${PIDFILE}" |
| } 2>&1 | logger -t "${UPSTART_JOB}" |
| |
| # Sanity check against serial number is derived from Android CTS. |
| if ! echo "${SERIALNUMBER}" | grep -q -E '^[0-9A-Za-z]{6,20}$'; then |
| logger -t "${UPSTART_JOB}" "ERROR: Serial number is invalid." |
| exit 1 |
| fi |
| |
| # Start constructing minijail0 args... |
| args="minijail0" |
| |
| # Use a minimalistic mount namespace. |
| args="${args} --profile minimalistic-mountns" |
| |
| # Enter a new mount namespace. |
| args="${args} -v" |
| |
| # Enter a new PID namespace. |
| args="${args} -p" |
| |
| # Skip remounting as private. |
| args="${args} -K" |
| |
| # Enter a new IPC namespace. |
| args="${args} -l" |
| |
| # Create PID file at $PIDFILE. |
| args="${args} -f $PIDFILE" |
| |
| # Set up mount points. |
| args="${args} -b /sys,/sys" |
| args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" |
| |
| # Set up seccomp-bpf. |
| args="${args} -S /usr/share/policy/arcvm-adbd-seccomp.policy" |
| |
| # Allow only CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, |
| # CAP_SYS_MODULE, CAP_SYS_ADMIN. |
| args="${args} -n -c 210007 --ambient" |
| |
| # Finally, specify the command line arguments. |
| args="${args} -- /usr/sbin/arc-adbd --serialnumber=${SERIALNUMBER}" |
| |
| logger -t "${UPSTART_JOB}" "Executing: ${args}" |
| exec ${args} |
| end script |
| |
| post-stop script |
| { |
| echo "Post-stop arc-adbd" |
| set +e -x |
| |
| # Perform best-effort unmounting of the bulk endpoints. |
| umount --lazy "${RUNTIME_DIR}"/ep1 |
| umount --lazy "${RUNTIME_DIR}"/ep2 |
| exec rm -f "${RUNTIME_DIR}/"* |
| } 2>&1 | logger -t "${UPSTART_JOB}" |
| end script |