| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Permission Broker Daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| env PERMISSION_BROKER_GRANT_GROUP=devbroker-access |
| |
| start on started firewalld |
| stop on stopping firewalld |
| expect fork |
| respawn |
| |
| # TODO(gdk): Unclaimed devices that are handled by the permission broker |
| # should, in the future, be owned by the devbroker user so that the permission |
| # broker does not need to run with enhanced capabilities. |
| |
| # Grant CAP_CHOWN, CAP_DAC_OVERRIDE, and CAP_FOWNER; set NoNewPrivs. |
| exec minijail0 -u devbroker -c 000b -i -n -- /usr/bin/permission_broker \ |
| --access_group=${PERMISSION_BROKER_GRANT_GROUP} |