| # Copyright 2019 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the cryptohome-proxy daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting cryptohomed |
| stop on stopping cryptohomed |
| respawn |
| |
| expect fork |
| |
| # -u Run as cryptohome user |
| # -g Run as cryptohome group |
| # -i Fork and exit |
| # -e New network namespace |
| # -l New IPC namespace |
| # -n No new privileges |
| # -p New PID namespace |
| # -v New mount namespace |
| # -r Remount /proc read-only |
| # --uts New UTS namespace |
| # -c 0 Grant no caps |
| # -S Apply seccomp policy |
| # /var/lib/metrics is needed for UMA. |
| |
| exec minijail0 -u cryptohome -g cryptohome -e -i -l -n -p -v -r --uts -c 0 \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -S /usr/share/policy/cryptohome-proxy.policy \ |
| -b /run/dbus \ |
| -b /var/lib/metrics,,1 -- \ |
| /usr/sbin/cryptohome-proxy |