| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start camera algorithm service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| expect fork |
| respawn |
| respawn limit 10 5 |
| |
| env CHROOT_PATH=/run/camera |
| env SECCOMP_POLICY_FILE=/usr/share/policy/cros-camera-algo.policy |
| |
| pre-start script |
| set -x |
| # Create directory for mounting /dev/urandom in chroot |
| mkdir -p "${CHROOT_PATH}"/dev |
| |
| # Create directory for binding camera configs in chroot |
| mkdir -p "${CHROOT_PATH}"/etc/camera |
| end script |
| |
| script |
| # Start constructing minijail0 args... |
| args="" |
| |
| # Enter a new mount, network, PID, IPC and cgroup namespace. |
| args="$args -v -e -p -l -N" |
| |
| # Change user and group to arc-camera. |
| args="$args -u arc-camera -g arc-camera" |
| |
| # Set -i to fork and daemonize an init-like process that Upstart will track |
| # as the service. |
| args="$args -i" |
| |
| # Chroot and mount /usr, /proc, /dev/urandom, and /run/camera. |
| args="$args -P ${CHROOT_PATH} -k /usr,/usr,none,0x1000" |
| args="$args -k /proc,/proc,proc,0xe" |
| args="$args -k /dev/urandom,/dev/urandom,none,0x1001" |
| args="$args -b /run/camera,,1" |
| |
| # Set RLIMIT_NICE(=13) to 40,40 |
| args="$args -R 13,40,40" |
| |
| # Only mount /etc/camera if it exists. |
| if [ -d /etc/camera ]; then |
| args="$args -b /etc/camera,/etc/camera" |
| fi |
| |
| # Drop privileges and set seccomp filter. |
| args="$args -n -S ${SECCOMP_POLICY_FILE}" |
| args="$args -- /usr/bin/cros_camera_algo" |
| |
| exec minijail0 $args |
| end script |