| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the Chromium OS biometrics daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services and stopped bio_crypto_init and started uinput |
| stop on stopping system-services |
| respawn |
| respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying. |
| |
| env LOG_DIR=/var/log/biod |
| env FP_DEV=/dev/cros_fp |
| |
| pre-start script |
| mkdir -m 755 -p "${LOG_DIR}" |
| chown biod:biod "${LOG_DIR}" |
| # Check the existence of ${FP_DEV}. |
| if [ ! -c "${FP_DEV}" ]; then |
| echo "${FP_DEV} not available, stopping." > /var/log/biod.out |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # Here (in order) are a list of the args added: |
| # - Create and enter new UTS namespace (hostname/NIS domain name). |
| # - Create and enter new network namespace. |
| # - Create and enter new IPC namespace. |
| # - Create and enter new cgroup namespace. |
| # - Create and enter new PID namespace. |
| # - Set mount namespace to be a slave mount. |
| # - Set up a new VFS namespace (although this should be covered by |
| # minimalistic-mountns, leaving this out yields the following error: |
| # "Can't skip marking mounts as MS_PRIVATE without mount namespaces.") |
| # - Use the minimal mountns profile to start. |
| # - Get a writeable and empty /run tmpfs path. |
| # - Mount dbus. |
| # - Provide access to chromeos-config thru /run/chromeos-config/v1. |
| # - Mount daemon store with the MS_BIND|MS_REC options to handle the case |
| # biod starts after the user's cryptohome is already mounted (e.g. after a |
| # crash). |
| # - Get a writeable and empty /var tmpfs path. |
| # - Mount the log directory in it. |
| # - Mount the metrics directory. |
| # - Mount the FPMCU dev node. |
| # - Mount the /dev/uinput directory. |
| # - Mount the /sys directory as chromeos-config tries to get the product name, |
| # sku and other details from sysfs files. |
| # - Run as biod user and group. |
| # - Inherit supplementary groups from from user biod. |
| # - Grant no caps. |
| # - No new privileges (no_new_privs). |
| # - Use biod seccomp policy. |
| # - Execute the daemon. |
| # - Add the log dir. |
| # - Pipe output to biod.out. |
| exec minijail0 \ |
| --uts \ |
| -e \ |
| -l \ |
| -N \ |
| -p \ |
| -Kslave \ |
| -v \ |
| --profile minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b /run/chromeos-config/v1 \ |
| -k '/run/daemon-store/biod,/run/daemon-store/biod,none,MS_BIND|MS_REC' \ |
| -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b ${LOG_DIR},,1 \ |
| -b /var/lib/metrics,,1 \ |
| -b ${FP_DEV} \ |
| -b /dev/uinput \ |
| -b /sys \ |
| -u biod -g biod \ |
| -G \ |
| -c 0 \ |
| -n \ |
| -S /usr/share/policy/biod-seccomp.policy \ |
| -- /usr/bin/biod \ |
| --log_dir=${LOG_DIR} \ |
| >/var/log/biod.out 2>&1 |