arc/sdcard/arc-sdcard.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2016 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Run /system/bin/sdcard in a container"
 author        "chromium-os-dev@chromium.org"

 # This job is started via arc-boot-continue.conf.
 # This job is stopped via arc-lifetime.conf.

 # Unused, but to be compliant with sdcardfs upstart script.
 import CONTAINER_PID

 env PIDFILE=/run/arc/sdcard.pid
 env ANDROID_ROOTFS_DIR=/opt/google/containers/android/rootfs/root
 env ANDROID_MUTABLE_SOURCE=/opt/google/containers/android/rootfs/android-data
 env SDCARD_ROOTFS_DIR=\
 /opt/google/containers/arc-sdcard/mountpoints/container-root
 env SDCARD_MOUNT_DIR=/run/arc/sdcard

 env ROOT_UID=655360
 env SDCARD_UID=656383

 # Clean up a stale pid file if it exists.
 pre-start exec rm -f $PIDFILE

 # Note: $SDCARD_MOUNT_DIR/... and $ANDROID_MUTABLE_SOURCE/data/...
 # (including /data/media) should have been properly initialized.

 # systemd-cat is used to redirect stdio from sdcard to journald for logging
 # minijail will exit after forking into PID namespace and upstart tracks root
 # of PID namespace
 # -T static because mounts prevent minijail detecting that binary is static
 # TODO(ereth): replace 0x44000 for the / dir mount with MS_REC|MS_PRIVATE once
 #              minijail accepts this combination of flags
 expect fork
 exec /usr/bin/systemd-cat -t "${UPSTART_JOB}" \
   capsh --drop=CAP_BLOCK_SUSPEND,CAP_WAKE_ALARM,CAP_SYS_BOOT \
     -- -c "exec minijail0 \
           -P $SDCARD_ROOTFS_DIR \
           -e -p -v -l -K -i \
           -a android \
           -f $PIDFILE \
           -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC'  \
           -b $ANDROID_ROOTFS_DIR/system/bin/sdcard,/system/bin/sdcard \
           -b $ANDROID_MUTABLE_SOURCE/data,/data,1 \
           -b /home/chronos/user/Downloads,/Downloads,1 \
           -k none,/,none,0x44000 \
           -b $SDCARD_MOUNT_DIR,/mnt/runtime,1 \
           -k 'none,/mnt/runtime,none,MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT' \
           -T static \
           -- /system/bin/sdcard -u $SDCARD_UID -g $SDCARD_UID \
              -m -w /data/media emulated"

 post-stop exec /usr/sbin/arc-setup --mode=unmount-sdcard \
   "--log_tag=${UPSTART_JOB}"
	# Copyright 2016 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Run /system/bin/sdcard in a container"
	author "chromium-os-dev@chromium.org"

	# This job is started via arc-boot-continue.conf.
	# This job is stopped via arc-lifetime.conf.

	# Unused, but to be compliant with sdcardfs upstart script.
	import CONTAINER_PID

	env PIDFILE=/run/arc/sdcard.pid
	env ANDROID_ROOTFS_DIR=/opt/google/containers/android/rootfs/root
	env ANDROID_MUTABLE_SOURCE=/opt/google/containers/android/rootfs/android-data
	env SDCARD_ROOTFS_DIR=\
	/opt/google/containers/arc-sdcard/mountpoints/container-root
	env SDCARD_MOUNT_DIR=/run/arc/sdcard

	env ROOT_UID=655360
	env SDCARD_UID=656383

	# Clean up a stale pid file if it exists.
	pre-start exec rm -f $PIDFILE

	# Note: $SDCARD_MOUNT_DIR/... and $ANDROID_MUTABLE_SOURCE/data/...
	# (including /data/media) should have been properly initialized.

	# systemd-cat is used to redirect stdio from sdcard to journald for logging
	# minijail will exit after forking into PID namespace and upstart tracks root
	# of PID namespace
	# -T static because mounts prevent minijail detecting that binary is static
	# TODO(ereth): replace 0x44000 for the / dir mount with MS_REC\|MS_PRIVATE once
	# minijail accepts this combination of flags
	expect fork
	exec /usr/bin/systemd-cat -t "${UPSTART_JOB}" \
	capsh --drop=CAP_BLOCK_SUSPEND,CAP_WAKE_ALARM,CAP_SYS_BOOT \
	-- -c "exec minijail0 \
	-P $SDCARD_ROOTFS_DIR \
	-e -p -v -l -K -i \
	-a android \
	-f $PIDFILE \
	-k 'proc,/proc,proc,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-b $ANDROID_ROOTFS_DIR/system/bin/sdcard,/system/bin/sdcard \
	-b $ANDROID_MUTABLE_SOURCE/data,/data,1 \
	-b /home/chronos/user/Downloads,/Downloads,1 \
	-k none,/,none,0x44000 \
	-b $SDCARD_MOUNT_DIR,/mnt/runtime,1 \
	-k 'none,/mnt/runtime,none,MS_NOSUID\|MS_NODEV\|MS_NOEXEC\|MS_REMOUNT' \
	-T static \
	-- /system/bin/sdcard -u $SDCARD_UID -g $SDCARD_UID \
	-m -w /data/media emulated"

	post-stop exec /usr/sbin/arc-setup --mode=unmount-sdcard \
	"--log_tag=${UPSTART_JOB}"