| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the Chromium OS biometrics daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services and stopped bio_crypto_init and started uinput |
| stop on stopping system-services |
| respawn |
| respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying. |
| |
| env LOG_DIR=/var/log/biod |
| |
| pre-start script |
| mkdir -m 755 -p "${LOG_DIR}" |
| chown biod:biod "${LOG_DIR}" |
| end script |
| |
| # Here (in order) are a list of the args added: |
| # - Set mount namespace to be a slave mount. |
| # - Set up a new VFS namespace (although this should be covered by |
| # minimalistic-mountns, leaving this out yields the following error: |
| # "Can't skip marking mounts as MS_PRIVATE without mount namespaces.") |
| # - Use the minimal mountns profile to start. |
| # - Get a writeable and empty /run tmpfs path. |
| # - Mount dbus and daemonstore on it. |
| # - Get a writeable and empty /var tmpfs path. |
| # - Mount the log directory in it. |
| # - Mount the metrics directory. |
| # - Mount the FPMCU dev node. |
| # - Run as biod user and group. |
| # - Inherit supplementary groups from from user biod. |
| # - Grant no caps. |
| # - Execute the daemon. |
| # - Add the log dir. |
| # - Pipe output to biod.out. |
| exec minijail0 \ |
| -Kslave \ |
| -v \ |
| --profile minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus -b /run/daemon-store/biod \ |
| -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b ${LOG_DIR},,1 \ |
| -b /var/lib/metrics,,1 \ |
| -b /dev/cros_fp \ |
| -b /dev/uinput \ |
| -u biod -g biod -g uinput \ |
| -G \ |
| -c 0 \ |
| -- /usr/bin/biod \ |
| --log_dir=${LOG_DIR} \ |
| >/var/log/biod.out 2>&1 |