dns-proxy/init/dns-proxy.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2021 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "DNS proxy daemon"
 author          "chromium-os-dev@chromium.org"

 start on starting system-services
 stop on stopping system-services

 respawn
 respawn limit 3 5

 # Do not respawn if the service is terminated on purpose.
 normal exit 0

 # Sacrifice before OOM panic.
 # TODO(garrick): Add vm size limit.
 oom score 0

 # Minijail actually forks off the desired process.
 expect fork

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a UTS namespace to isolate changes to the host / domain name.
   args="${args} --uts"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Remount /proc read-only (prevents any messing with it).
   args="${args} -r"

   # Creates new, empty tmp directory (technically, mounts tmpfs).
   args="${args} -t"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   # Apply seccomp policy.
   args="${args} -S /usr/share/policy/dns-proxy-seccomp.policy"

   # Use a minimalistic mount namespace.
   args="${args} --profile minimalistic-mountns"

   # Mount /run as tmpfs read-only.
   args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"

   # Bind-mount /run/dbus read-only for D-Bus to work.
   args="${args} -b /run/dbus"

   # Bind-mount /sbin read-only to start sandboxed processes using minijail0.
   args="${args} -b /sbin"

   # Bind-mount /run/shill for DNS resolution.
   args="${args} -b /run/shill"

   # Run as dns-proxy user and group.
   args="${args} -u dns-proxy -g dns-proxy"

   # Run with root permissions so that the daemon can start sandboxed processes.
   # Run with CAP_NET_BIND_SERVICE so that it can bind to default DNS port (53).
   args="${args} -c cap_sys_admin,cap_net_bind_service=e"

   # Execute dns-proxy.
   args="${args} /usr/sbin/dnsproxyd"

   # -e is not specified because the service needs to connect to servers.

   exec minijail0 ${args}
 end script
	# Copyright 2021 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "DNS proxy daemon"
	author "chromium-os-dev@chromium.org"

	start on starting system-services
	stop on stopping system-services

	respawn
	respawn limit 3 5

	# Do not respawn if the service is terminated on purpose.
	normal exit 0

	# Sacrifice before OOM panic.
	# TODO(garrick): Add vm size limit.
	oom score 0

	# Minijail actually forks off the desired process.
	expect fork

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a UTS namespace to isolate changes to the host / domain name.
	args="${args} --uts"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Remount /proc read-only (prevents any messing with it).
	args="${args} -r"

	# Creates new, empty tmp directory (technically, mounts tmpfs).
	args="${args} -t"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	# Apply seccomp policy.
	args="${args} -S /usr/share/policy/dns-proxy-seccomp.policy"

	# Use a minimalistic mount namespace.
	args="${args} --profile minimalistic-mountns"

	# Mount /run as tmpfs read-only.
	args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"

	# Bind-mount /run/dbus read-only for D-Bus to work.
	args="${args} -b /run/dbus"

	# Bind-mount /sbin read-only to start sandboxed processes using minijail0.
	args="${args} -b /sbin"

	# Bind-mount /run/shill for DNS resolution.
	args="${args} -b /run/shill"

	# Run as dns-proxy user and group.
	args="${args} -u dns-proxy -g dns-proxy"

	# Run with root permissions so that the daemon can start sandboxed processes.
	# Run with CAP_NET_BIND_SERVICE so that it can bind to default DNS port (53).
	args="${args} -c cap_sys_admin,cap_net_bind_service=e"

	# Execute dns-proxy.
	args="${args} /usr/sbin/dnsproxyd"

	# -e is not specified because the service needs to connect to servers.

	exec minijail0 ${args}
	end script