ocr/init/ocr_service.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description    "Chrome OS Optical Character Recognition (OCR) Service"
 author         "chromium-os-dev@chromium.org"

 # This service is started by D-Bus service activation through
 # org.chromium.OpticalCharacterRecognition.service
 stop on stopping ui

 #  Minijail forks off the desired process and exits after forking.
 expect fork

 pre-start script
   # Check if UI is still running before starting ocr_service.
   # This is to prevent new dbus-activated instances from getting
   # started once the system is beginning to shut down.
   if ! initctl status ui | grep -q running; then
     stop
     exit 0
   fi
 end script

 # Used jailing parameters:
 #   -e: enter new network namespace (for process that
 #     doesn't need network access);
 #   -i: minijail0 exits right after forking.
 #   -l: new IPC namespace (isolates IPC resources).
 #   -N: new cgroup namespace.
 #   -n: set no new privileges (no_new_privs bit).
 #   -p: Enter new pid namespace (implies -vr).
 #   -r: remount /proc read-only.
 #   -v: enter new mount namespace.
 #   --profile=minimalistic-mountns: Enables mount and process namespace
 #     which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs).
 #   -u: change userid to <user>
 #   -g: change gid to <group>
 #   -G: inherit supplementary groups from new uid.
 #   --uts: enters new UTS namespace. It makes changes to the host/domain
 #     name not affect the rest of the system.
 #   -k: regular mount (source, target, filesystemtype, mountflags, data)
 #   -b /run/dbus: mount /run/dbus to be able to communicate with D-bus.
 exec minijail0 -e -i -l -N -n -p --uts \
   -u ocr_service -g ocr_service -G \
   --profile=minimalistic-mountns \
   -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
   -b /run/dbus \
   -- /usr/bin/ocr_service

 post-start exec minijail0 -u ocr_service -g ocr_service /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.OpticalCharacterRecognition
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Chrome OS Optical Character Recognition (OCR) Service"
	author "chromium-os-dev@chromium.org"

	# This service is started by D-Bus service activation through
	# org.chromium.OpticalCharacterRecognition.service
	stop on stopping ui

	# Minijail forks off the desired process and exits after forking.
	expect fork

	pre-start script
	# Check if UI is still running before starting ocr_service.
	# This is to prevent new dbus-activated instances from getting
	# started once the system is beginning to shut down.
	if ! initctl status ui \| grep -q running; then
	stop
	exit 0
	fi
	end script

	# Used jailing parameters:
	# -e: enter new network namespace (for process that
	# doesn't need network access);
	# -i: minijail0 exits right after forking.
	# -l: new IPC namespace (isolates IPC resources).
	# -N: new cgroup namespace.
	# -n: set no new privileges (no_new_privs bit).
	# -p: Enter new pid namespace (implies -vr).
	# -r: remount /proc read-only.
	# -v: enter new mount namespace.
	# --profile=minimalistic-mountns: Enables mount and process namespace
	# which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs).
	# -u: change userid to <user>
	# -g: change gid to <group>
	# -G: inherit supplementary groups from new uid.
	# --uts: enters new UTS namespace. It makes changes to the host/domain
	# name not affect the rest of the system.
	# -k: regular mount (source, target, filesystemtype, mountflags, data)
	# -b /run/dbus: mount /run/dbus to be able to communicate with D-bus.
	exec minijail0 -e -i -l -N -n -p --uts \
	-u ocr_service -g ocr_service -G \
	--profile=minimalistic-mountns \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /run/dbus \
	-- /usr/bin/ocr_service

	post-start exec minijail0 -u ocr_service -g ocr_service /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.OpticalCharacterRecognition