| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start arc-data-snapshotd daemon in Chrome OS." |
| author "chromium-os-dev@chromium.org" |
| |
| # Chrome browser manages a lifetime of arc-data-snapshotd daemon via upstart. |
| # The daemon is responsible for ARC snapshot of data/ directory management. |
| stop on stopping ui |
| |
| # Killable for memory leaks. |
| oom score -100 |
| |
| respawn |
| # If the job respawns 3 times in 10 seconds, stop trying. |
| respawn limit 3 10 |
| |
| env SNAPSHOT_DIR=/mnt/stateful_partition/unencrypted/arc-data-snapshot |
| |
| pre-start script |
| mkdir -p -m 755 "${SNAPSHOT_DIR}" |
| chown -R arc-data-snapshotd:arc-data-snapshotd "${SNAPSHOT_DIR}" |
| end script |
| |
| # Used jailing parameters: |
| # -e: new network namespace; |
| # -l: new IPC namespace; |
| # -n: the no_new_privs bit; |
| # -p: new PID namespace; |
| # -t: a new tmpfs filesystem for /tmp; |
| # -v: new VFS namespace; |
| # --uts: new UTS/hostname namespace; |
| # -u, -g: user account and group; |
| # --profile: minimalistic mount namespace; |
| # -k /mnt: a new tmpfs filesystem for /run, with the subsequent parameters |
| # mounting specific files into this directory; |
| # -k /run: a new tmpfs filesystem for /run, with the subsequent parameters |
| # mounting specific files into this directory; |
| # -b /run/dbus: shared socket file for talking with the D-Bus daemon; |
| # -b /mnt/stateful_partition/unencrypted/arc-data-snapshot: arc data snapshot |
| # directory; |
| # -b /opt/google/containers/android/rootfs/android-data: bind mounted |
| # android-data directory; |
| # -S: apply seccomp filters. |
| script |
| logger -t "${UPSTART_JOB}" "Start arc-data-snapshotd" |
| set -x |
| |
| exec minijail0 -e -l -n -p -t -v --uts \ |
| -u arc-data-snapshotd -g arc-data-snapshotd \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b "${SNAPSHOT_DIR}" \ |
| -b /opt/google/containers/android/rootfs/android-data \ |
| -S /usr/share/policy/arc-data-snapshotd-seccomp.policy \ |
| -- /usr/bin/arc-data-snapshotd |
| end script |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u arc-data-snapshotd -g arc-data-snapshotd \ |
| /usr/bin/gdbus wait --system --timeout 15 org.chromium.ArcDataSnapshotd |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-data-snapshotd" |