| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the Chromium OS Newblue daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| env seccomp_flags="-S /usr/share/policy/newblued-seccomp.policy" |
| env BLUETOOTH_LIBDIR=/var/lib/bluetooth |
| |
| start on stopped bluetooth-setup |
| stop on stopping system-services |
| respawn |
| |
| pre-start script |
| mkdir -p -m 0750 "${BLUETOOTH_LIBDIR}" |
| chown -R bluetooth:bluetooth "${BLUETOOTH_LIBDIR}" |
| end script |
| |
| # Minijail actually forks off our desired process. |
| expect fork |
| |
| # Add modules here in --vmodule format for debugging. |
| env VMODULE_ARG= |
| |
| # -u bluetooth changes user. |
| # -g bluetooth changes group. |
| # -G inherit bluetooth's supplementary groups. |
| # -i makes sure minijail0 exits right away and won't block upstart. |
| # -n prevents that execve gains privileges, required for seccomp filters. |
| # -l creates IPC namespace (isolates System V IPC objects/POSIX message queues). |
| # -p creates PID namespace (process won't see any other processes). |
| # -v enters new mount namespace, allows to change mounts inside jail. |
| # -r remounts /proc read-only (prevents any messing with it). |
| # -t creates new, empty tmp directory (technically, mounts tmpfs). |
| # --uts enters a new UTS namespace. |
| # -e enters new network namespace. |
| # --profile minimalistic-mountns sets up minimalistic mount namespace. |
| # -k /run,/run,tmpfs,... mounts tmpfs at /run |
| # -b /run/chromeos-config/v1 is required to access chromeos-config. |
| # -b /dev/log,,1 is required for syslog. |
| # -b /dev/hci_le,,1 for r/w access to HCI Bluetooth LE traffic. |
| # -b /dev/uhid,,1 for access to UHID (e.g. mouse/keyboard). |
| # -b /run/dbus mount read-only, required for D-Bus. |
| # -b /var/lib/bluetooth,,1 for r/w access to persist and BlueZ config. |
| script |
| set -- |
| if [ -e /dev/hci_le ]; then |
| set -- "$@" -b /dev/hci_le,,1 |
| fi |
| if [ -e /dev/uhid ]; then |
| set -- "$@" -b /dev/uhid,,1 |
| fi |
| |
| exec minijail0 -u bluetooth -g bluetooth -G -i -n -l -p -v -r -t --uts -e \ |
| --profile minimalistic-mountns \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/chromeos-config/v1 \ |
| -b /dev/log,,1 \ |
| -b /run/dbus \ |
| -b /var/lib/bluetooth,,1 \ |
| "$@" \ |
| ${seccomp_flags} \ |
| -- \ |
| /usr/bin/newblued \ |
| --vmodule="${VMODULE_ARG}" |
| end script |