blob: 5f79d3620fa069586fa49747edbe9e734984b964 [file] [log] [blame]
# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Run apk-cache-cleaner with minijail0.
# 656360 is an Android system UID/GID
set -e
# See src/platform2/arc/setup/ for more info about these values.
if [ ! -d "${APK_CACHE_PATH}" ]; then
# If the APK cache directory does not exist, there's nothing to clean.
exit 0
# Bind cache directory as writable. Add /var directory to follow /etc/localtime.
# Enter new pid and cgroup namespaces. Setting no new privileges.
# Restrict caps to 0. Entering new mount namespace, new UTS namespace,
# new IPC namespace and new network namespace.
exec minijail0 --profile minimalistic-mountns \
-k 'none,/mnt,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=64k' \
-b "${APK_CACHE_PATH},,1" \
-k 'none,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=64k' \
-b /var/lib/timezone \
-p -N -n -c 0 -v -r --uts -l -e \
-S /usr/share/policy/apk-cache-cleaner-seccomp.policy \
-u "${SYSTEM_UID}" -g "${SYSTEM_GID}" -- /usr/sbin/apk-cache-cleaner