| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the U2FHID emulation daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # TODO(crbug.com/770150) also start on device policy creation/update for OOBE. |
| start on started trunksd |
| stop on stopping system-services |
| respawn |
| # if the job respawns 3 times in 10 seconds, stop trying. |
| respawn limit 3 10 |
| # Do not respawn if we exited on purpose (e.g. service disabled). |
| normal exit 0 |
| |
| # Directory containing (u2f|g2f|verbose).force files. |
| env FORCE_DIR=/var/lib/u2f/force |
| |
| pre-start script |
| mkdir -p /var/lib/whitelist |
| # Settings override. |
| mkdir -p -m 0700 "${FORCE_DIR}" |
| end script |
| |
| # -e creates Network namespace. |
| # -p creates PID namespace. |
| # -l creates IPC namespace. |
| # -r remounts /proc read-only. |
| # -v enters new mount namespace (allows to change mounts inside jail). |
| # -n prevents that execve gains privileges. |
| # --uts creates a new UTS namespace. |
| # -c 0 don't need any capability. |
| # -P creates a pivot_root at the target folder. |
| # -b /,/ mounts / read-only. |
| # -b /run,/run mount read-only, required for D-Bus. |
| # -b /dev,/dev required to access /dev/uhid. |
| # -b ...,/var to read device policies from /var/lib/whitelist/policy. |
| # -u u2f change user. |
| # -G inherit u2f supplementary groups (ie policy-readers) |
| # -g bluetooth change group to access /dev/uhid. |
| script |
| force_enabled() { |
| [ -f "${FORCE_DIR}/$1.force" ] |
| } |
| |
| ARGS="" |
| force_enabled u2f && ARGS="${ARGS} --force_u2f" |
| force_enabled g2f && ARGS="${ARGS} --force_g2f" |
| force_enabled user_keys && ARGS="${ARGS} --user_keys" |
| force_enabled allowlist_data && ARGS="${ARGS} --g2f_allowlist_data" |
| force_enabled verbose && ARGS="${ARGS} --verbose" |
| |
| # u2fd needs access /dev/uhid to create a new virtual USBHID device. |
| exec minijail0 -e -p -l -r -v -n --uts -c 0 -Kslave \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k '/run/daemon-store/u2f,/run/daemon-store/u2f,none,MS_BIND|MS_REC' \ |
| -b /dev/uhid \ |
| -b /run/dbus \ |
| -b /var/lib/whitelist \ |
| -b /var/lib/metrics,,1 \ |
| -u u2f -G -g bluetooth -- /usr/bin/u2fd ${ARGS} |
| end script |