| # Copyright 2019 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the cryptohome-proxy daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting cryptohomed |
| stop on stopping cryptohomed |
| respawn |
| |
| # Check if we are using the new interface, we'll only start the proxy in |
| # that case. |
| pre-start script |
| # Call the script to determine if we are running the new interface. |
| if ! /usr/libexec/cryptohome/shall-use-userdataauth.sh; then |
| # Old interface is used. |
| stop |
| fi |
| end script |
| |
| expect fork |
| |
| # -u Run as cryptohome user |
| # -g Run as cryptohome group |
| # -i Fork and exit |
| # -e New network namespace |
| # -l New IPC namespace |
| # -n No new privileges |
| # -p New PID namespace |
| # -v New mount namespace |
| # -r Remount /proc read-only |
| # --uts New UTS namespace |
| # -c 0 Grant no caps |
| # -S Apply seccomp policy |
| |
| |
| exec minijail0 -u cryptohome -g cryptohome -e -i -l -n -p -v -r --uts -c 0 \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -S /usr/share/policy/cryptohome-proxy.policy \ |
| -b /run/dbus -- \ |
| /usr/sbin/cryptohome-proxy |
