dlcservice/dlcservice.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Downloadable content service daemon"
 author          "chromium-os-dev@chromium.org"

 start on starting system-services
 stop on stopping system-services
 expect fork
 respawn
 respawn limit 3 10  # if the job respawns 3 times in 10 seconds, stop trying.

 # Let dlcservice daemon be killable as it can restore itself when it's
 # consuming too much memory.
 oom score -100

 env PRELOAD_PATH=/var/cache/dlc-images
 env FACTORY_INSTALL_PATH=/mnt/stateful_partition/unencrypted/dlc-factory-images

 pre-start script
   if [ ! -d "/opt/google/dlc" ]; then
     logger -t "${UPSTART_JOB}" "No DLC metadata, stopping on purpose."
     stop
     exit 0
   fi
 end script

 script
   set --
   if [ -d "${PRELOAD_PATH}" ]; then
     set -- "$@" -b "${PRELOAD_PATH}"
   fi
   if [ -d "${FACTORY_INSTALL_PATH}" ]; then
     set -- "$@" -k '/mnt/stateful_partition,/mnt/stateful_partition,tmpfs,'
     set -- "$@" -b "${FACTORY_INSTALL_PATH},,1"
   fi
   # -i Exit immediately after fork.
   # -u Run as dlcservice user.
   # -g Run as dlcservice group.
   # -G Inherit supplementary groups from new uid.
   # -n prevents the executable from gaining new privileges.
   # minimal mount namespace without /dev because we want real /dev.
   # tmpfs on /run, /var, /sys so we can create mounts under them.
   # -b /mnt/stateful_partition/unencrypted/dlc-factory images is where
   #   factory installed DLC images reside.
   # -b /run/dbus for system dbus socket.
   # -b /var/lib/metrics Mount with write permissions for uma metrics.
   # -b /var/lib/dlcservice with write for preferences.
   # -b /var/cache/dlc write for DLC images.
   # -b /var/cache/dlc-images for preloaded DLC images.
   # -b /sys/block, -b /sys/devices, -b /dev for boot slot detection.
   # -S Set seccomp filter using dlcservice-seccomp.policy.
   exec minijail0 -i -u dlcservice -g dlcservice -G -n \
     --profile=minimalistic-mountns-nodev \
     -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
     -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
     -k 'tmpfs,/sys,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
     -b /run/dbus \
     -b /var/lib/metrics,,1 \
     -b /var/lib/dlcservice,,1 \
     -b /var/cache/dlc,,1 \
     -b /sys/block \
     -b /sys/devices \
     -b /dev \
     "$@" \
     -S /usr/share/policy/dlcservice-seccomp.policy /usr/sbin/dlcservice
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Downloadable content service daemon"
	author "chromium-os-dev@chromium.org"

	start on starting system-services
	stop on stopping system-services
	expect fork
	respawn
	respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying.

	# Let dlcservice daemon be killable as it can restore itself when it's
	# consuming too much memory.
	oom score -100

	env PRELOAD_PATH=/var/cache/dlc-images
	env FACTORY_INSTALL_PATH=/mnt/stateful_partition/unencrypted/dlc-factory-images

	pre-start script
	if [ ! -d "/opt/google/dlc" ]; then
	logger -t "${UPSTART_JOB}" "No DLC metadata, stopping on purpose."
	stop
	exit 0
	fi
	end script

	script
	set --
	if [ -d "${PRELOAD_PATH}" ]; then
	set -- "$@" -b "${PRELOAD_PATH}"
	fi
	if [ -d "${FACTORY_INSTALL_PATH}" ]; then
	set -- "$@" -k '/mnt/stateful_partition,/mnt/stateful_partition,tmpfs,'
	set -- "$@" -b "${FACTORY_INSTALL_PATH},,1"
	fi
	# -i Exit immediately after fork.
	# -u Run as dlcservice user.
	# -g Run as dlcservice group.
	# -G Inherit supplementary groups from new uid.
	# -n prevents the executable from gaining new privileges.
	# minimal mount namespace without /dev because we want real /dev.
	# tmpfs on /run, /var, /sys so we can create mounts under them.
	# -b /mnt/stateful_partition/unencrypted/dlc-factory images is where
	# factory installed DLC images reside.
	# -b /run/dbus for system dbus socket.
	# -b /var/lib/metrics Mount with write permissions for uma metrics.
	# -b /var/lib/dlcservice with write for preferences.
	# -b /var/cache/dlc write for DLC images.
	# -b /var/cache/dlc-images for preloaded DLC images.
	# -b /sys/block, -b /sys/devices, -b /dev for boot slot detection.
	# -S Set seccomp filter using dlcservice-seccomp.policy.
	exec minijail0 -i -u dlcservice -g dlcservice -G -n \
	--profile=minimalistic-mountns-nodev \
	-k 'tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k 'tmpfs,/var,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k 'tmpfs,/sys,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-b /run/dbus \
	-b /var/lib/metrics,,1 \
	-b /var/lib/dlcservice,,1 \
	-b /var/cache/dlc,,1 \
	-b /sys/block \
	-b /sys/devices \
	-b /dev \
	"$@" \
	-S /usr/share/policy/dlcservice-seccomp.policy /usr/sbin/dlcservice
	end script