| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "cecservice" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| respawn |
| respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying. |
| |
| expect fork |
| |
| # -u run as user cecservice |
| # -g run as group cecservice |
| # -i exit immediately after fork (do not act as init). |
| # -l enter new IPC namespace |
| # -p enter new pid namespace |
| # -n set no_new_privs |
| # -w create and join a new anonymous session keyring |
| # -P pivot_root(2) into the chroot |
| # -t mount a new /tmp inside chroot |
| # -b/-k directories to mount into chroot |
| exec minijail0 -u cecservice -g cecservice -i -l -p -n -w -t \ |
| -P /var/empty -b / -b /dev -b /sys \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/udev -b /run/dbus --uts \ |
| -- /usr/sbin/cecservice |
