blob: 108e1b749a7061805d8bd981f122e905a2d3c1f7 [file] [log] [blame]
# Copyright 2017 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Run virtual_file_provider with minijail0 for ARC container.
# The mount path is set to /mnt in the minijail namespace.
set -e
# Start virtual-file-provider with /mnt as FUSE mount point in the
# minijail namespace.
# --profile=minimalistic-mountns Use minimalistic-mountns profile.
# -e Enter a new network namespace.
# -p -I Enter a new PID namespace and run the process as init (pid=1).
# -l Enter a new IPC namespace.
# -c Forbid all caps except CAP_SYS_ADMIN (for mount() syscall) and
# CAP_SETPCAP (to drop capabilities when it's not needed).
# -u/-g Run as virtual-file-provider user/group.
# -k Mount tmpfs on /mnt and /run.
# -b /run/dbus is for D-Bus system bus socket.
# /dev/fuse is for mounting FUSE file systems.
# -f Assign freeze cgroup as
# /sys/fs/cgroup/freezer/virtual-file-provider/cgroup.procs
exec minijail0 \
--profile=minimalistic-mountns \
-e \
-p -I \
-l \
-c 0x200100 \
-u virtual-file-provider -g virtual-file-provider -G \
-k "tmpfs,/mnt,tmpfs,${MOUNT_FLAGS}" \
-k "tmpfs,/run,tmpfs,${MOUNT_FLAGS}" \
-b /run/dbus \
-b /dev/fuse \
-f /sys/fs/cgroup/freezer/virtual-file-provider/cgroup.procs \
-- /usr/bin/virtual-file-provider --path=/mnt