| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Binary to program bio sensors with TPM seed." |
| author "chromium-os-dev@chromium.org" |
| |
| # This job blocks the boot process in boot-services until all parts of this |
| # job/task are complete. This is important for the following two reasons: |
| # 1. For security purposes, we want to ensure that the secret seed is |
| # transferred and cleared before other major processes are running. |
| # 2. We want to ensure that this process does not conflict with the firmware |
| # in boot-update-firmware, which cannot have a direct dependence on this |
| # upstart job. |
| start on starting boot-services |
| task |
| |
| env LOG_DIR=/var/log/bio_crypto_init |
| env FP_DEV=/dev/cros_fp |
| |
| pre-start script |
| mkdir -m 755 -p "${LOG_DIR}" |
| chown biod:biod "${LOG_DIR}" |
| if [ -c "${FP_DEV}" ]; then |
| # Since we are running before udev executes, we need to manually make the |
| # dev node accessible inside the sandbox. |
| chown root:biod "${FP_DEV}" |
| chmod 660 "${FP_DEV}" |
| else |
| # No point in continuing if there isn't a device node |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # Here (in order) are a list of the args added: |
| # - Create and enter new UTS namespace (hostname/NIS domain name). |
| # - Create and enter new network namespace. |
| # - Create and enter new IPC namespace. |
| # - Create and enter new cgroup namespace. |
| # - Create and enter new PID namespace. |
| # - Same options as minimalistic-mountns except we do not mount /dev/log because |
| # it doesn't necessarily exist since the logging daemon hasn't started yet. |
| # - Get a writeable and empty /run tmpfs path. |
| # - Mount the /run/biod_seed file. |
| # - Get a writeable and empty /var tmpfs path. |
| # - Mount the log directory in it. |
| # - Mount the FPMCU dev node. |
| # - Run as biod user and group. |
| # - Inherit supplementary groups from from user biod. |
| # - Grant no caps. |
| # - No new privileges (no_new_privs). |
| # - Use bio_crypto_init seccomp policy. |
| # - Execute the binary. |
| exec minijail0 \ |
| --uts \ |
| -e \ |
| -l \ |
| -N \ |
| -p \ |
| -v -P /mnt/empty -b / -b /proc -t -r --mount-dev \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/bio_crypto_init,,1 \ |
| -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b ${LOG_DIR},,1 \ |
| -b ${FP_DEV} \ |
| -u biod -g biod \ |
| -G \ |
| -c 0 \ |
| -n \ |
| -S /usr/share/policy/bio-crypto-init-seccomp.policy \ |
| -- /usr/bin/bio_crypto_init \ |
| --log_dir=${LOG_DIR} |
| |
| # Ensure the /run file is cleaned up in case it still exists. |
| post-stop script |
| rm -f /run/bio_crypto_init/seed |
| end script |