| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the server proxy for arcvm" |
| author "chromium-os-dev@chromium.org" |
| |
| # arcvm-server-proxy should outlive the arcvm conceptually so that |
| # clientproxy in the guest can connect to the server-proxy. |
| # TODO(yusukes): Stop depending on vm_concierge once Chrome starts using |
| # arcvm.conf. |
| start on starting vm_concierge or starting arcvm |
| stop on stopped vm_concierge or stopped arcvm |
| |
| pre-start script |
| if ! grep -qs "1" /run/chrome/is_arcvm; then |
| # Stop the job unless Chrome is started with --enable-arcvm. |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # Use minimalistic-mountns profile. |
| # -e for a new network namespace. |
| # -p -I for a new PID namespace and run the process as init (no need to fork). |
| # -l for a new IPC namespace. |
| # --uts for UTS namespace to isolate from host / domain names. |
| # -N for freeze cgroup settings. |
| # /mnt is the mount point of the fuse file system. |
| # /run/chrome/arc_bridge.sock is the socket connected to the ArcBridgeService |
| # in Chrome browser process. |
| exec minijail0 \ |
| --profile=minimalistic-mountns \ |
| -e \ |
| -p -I \ |
| -l \ |
| --uts \ |
| -N \ |
| -k "tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" \ |
| -k "tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" \ |
| -b /dev/fuse \ |
| -b /run/chrome/arc_bridge.sock \ |
| -- /usr/bin/arcvm_server_proxy /mnt |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arcvm-server-proxy" |
