| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start camera algorithm service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| expect fork |
| respawn |
| respawn limit 10 5 |
| |
| env SECCOMP_POLICY_FILE=/usr/share/policy/cros-camera-algo.policy |
| |
| pre-start script |
| set -x |
| # Run the board-specific setup hooks, if any. |
| sh /etc/camera/setup-hooks-algo.sh || true |
| end script |
| |
| post-start script |
| # Run the board-specific hooks, if any. |
| sh /etc/camera/post-start-hooks-algo.sh || true |
| end script |
| |
| script |
| # Start constructing minijail0 args... |
| args="" |
| |
| # Enter a new mount, network, PID, IPC and cgroup namespace. |
| args="$args --profile=minimalistic-mountns -e -p -l -N" |
| |
| # Change user and group to arc-camera. |
| args="$args -u arc-camera -g arc-camera" |
| |
| # Set -i to fork and daemonize an init-like process that Upstart will track |
| # as the service. |
| args="$args -i" |
| |
| # Set -G to inherit supplementary groups for accessing serivices restricted |
| # to it, for example, perfetto. |
| args="$args -G" |
| |
| args="$args -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" |
| args="$args -k tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" |
| args="$args -b /run/perfetto,,1" |
| args="$args -b /run/camera,,1" |
| args="$args -b /var/cache/camera,,1" |
| |
| # Mount /run/chromeos-config/v1 for access to chromeos-config. |
| args="$args -b /run/chromeos-config/v1" |
| |
| # Set RLIMIT_NICE(=13) to 40,40 |
| args="$args -R 13,40,40" |
| |
| # Drop privileges and set seccomp filter. |
| args="$args -n -S ${SECCOMP_POLICY_FILE}" |
| args="$args -- /usr/bin/cros_camera_algo" |
| |
| exec minijail0 $args |
| end script |
