bluetooth/init/upstart/newblued.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start the Chromium OS Newblue daemon"
 author        "chromium-os-dev@chromium.org"

 env seccomp_flags="-S /usr/share/policy/newblued-seccomp.policy"

 start on stopped bluetooth-setup
 stop on stopping system-services
 respawn

 # Minijail actually forks off our desired process.
 expect fork

 # Add modules here in --vmodule format for debugging.
 env VMODULE_ARG=

 # -u bluetooth changes user.
 # -g bluetooth changes group.
 # -G inherit bluetooth's supplementary groups.
 # -i makes sure minijail0 exits right away and won't block upstart.
 # -n prevents that execve gains privileges, required for seccomp filters.
 # -l creates IPC namespace (isolates System V IPC objects/POSIX message queues).
 # -p creates PID namespace (process won't see any other processes).
 # -v enters new mount namespace, allows to change mounts inside jail.
 # -r remounts /proc read-only (prevents any messing with it).
 # -t creates new, empty tmp directory (technically, mounts tmpfs).
 # --uts enters a new UTS namespace.
 # -e enters new network namespace.
 # --profile minimalistic-mountns sets up minimalistic mount namespace.
 # -k /run,/run,tmpfs,... mounts tmpfs at /run
 # -b /dev/log,,1 is required for syslog.
 # -b /dev/hci_le,,1 for r/w access to HCI Bluetooth LE traffic.
 # -b /dev/uhid,,1 for access to UHID (e.g. mouse/keyboard).
 # -b /run/dbus mount read-only, required for D-Bus.
 # -b /var/lib/bluetooth allows read-only access to BlueZ's config files.
 script
   set --
   if [ -e /dev/hci_le ]; then
     set -- "$@" -b /dev/hci_le,,1
   fi
   if [ -e /dev/uhid ]; then
     set -- "$@" -b /dev/uhid,,1
   fi

   exec minijail0 -u bluetooth -g bluetooth -G -i -n -l -p -v -r -t --uts -e \
       --profile minimalistic-mountns \
       -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
       -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
       -b /dev/log,,1 \
       -b /run/dbus \
       -b /var/lib/bluetooth \
       "$@" \
       ${seccomp_flags} \
       -- \
       /usr/bin/newblued \
       --vmodule="${VMODULE_ARG}"
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the Chromium OS Newblue daemon"
	author "chromium-os-dev@chromium.org"

	env seccomp_flags="-S /usr/share/policy/newblued-seccomp.policy"

	start on stopped bluetooth-setup
	stop on stopping system-services
	respawn

	# Minijail actually forks off our desired process.
	expect fork

	# Add modules here in --vmodule format for debugging.
	env VMODULE_ARG=

	# -u bluetooth changes user.
	# -g bluetooth changes group.
	# -G inherit bluetooth's supplementary groups.
	# -i makes sure minijail0 exits right away and won't block upstart.
	# -n prevents that execve gains privileges, required for seccomp filters.
	# -l creates IPC namespace (isolates System V IPC objects/POSIX message queues).
	# -p creates PID namespace (process won't see any other processes).
	# -v enters new mount namespace, allows to change mounts inside jail.
	# -r remounts /proc read-only (prevents any messing with it).
	# -t creates new, empty tmp directory (technically, mounts tmpfs).
	# --uts enters a new UTS namespace.
	# -e enters new network namespace.
	# --profile minimalistic-mountns sets up minimalistic mount namespace.
	# -k /run,/run,tmpfs,... mounts tmpfs at /run
	# -b /dev/log,,1 is required for syslog.
	# -b /dev/hci_le,,1 for r/w access to HCI Bluetooth LE traffic.
	# -b /dev/uhid,,1 for access to UHID (e.g. mouse/keyboard).
	# -b /run/dbus mount read-only, required for D-Bus.
	# -b /var/lib/bluetooth allows read-only access to BlueZ's config files.
	script
	set --
	if [ -e /dev/hci_le ]; then
	set -- "$@" -b /dev/hci_le,,1
	fi
	if [ -e /dev/uhid ]; then
	set -- "$@" -b /dev/uhid,,1
	fi

	exec minijail0 -u bluetooth -g bluetooth -G -i -n -l -p -v -r -t --uts -e \
	--profile minimalistic-mountns \
	-k '/run,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-k '/var,/var,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /dev/log,,1 \
	-b /run/dbus \
	-b /var/lib/bluetooth \
	"$@" \
	${seccomp_flags} \
	-- \
	/usr/bin/newblued \
	--vmodule="${VMODULE_ARG}"
	end script