| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the wilco_dtc_supportd daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Start the wilco_dtc_supportd daemon, which is responsible for collecting |
| # telemetry and diagnostics information, and communicating with the wilco_dtc |
| # daemon. |
| start on starting wilco_dtc_dispatcher |
| stop stopped wilco_dtc_dispatcher |
| |
| respawn |
| # If the job respawns 3 times in 10 seconds, stop trying. |
| respawn limit 3 10 |
| |
| expect fork |
| |
| pre-start script |
| # Create a directory for gRPC socket files - see the comment about the jailing |
| # parameters below. |
| mkdir -p -m 755 /run/wilco_dtc/grpc_sockets |
| chown -R wilco_dtc:wilco_dtc /run/wilco_dtc/ |
| end script |
| |
| # Used jailing parameters: |
| # -e: new network namespace; |
| # -i: exit after forking; |
| # -l: new IPC namespace; |
| # -n: the no_new_privs bit; |
| # -p: new PID namespace; |
| # -r: remount /proc readonly; |
| # -t: a new tmpfs filesystem for /tmp; |
| # -v: new VFS namespace; |
| # --uts: new UTS/hostname namespace; |
| # -u, -g: user account and group; |
| # --mount-dev: a new /dev mount; |
| # --profile: minimalistic mount namespace; |
| # -k /run: a new tmpfs filesystem for /run, with the subsequent parameters |
| # mounting specific files into this directory; |
| # -b /run/wilco_dtc/grpc_sockets: shared directory with gRPC socket files, |
| # some of which are owned by wilco_dtc_supportd and some by the wilco_dtc |
| # daemon (note: no other daemon will use this directory); |
| # -b /run/dbus: shared socket file for talking with the D-Bus daemon; |
| # -k /sys: a new tmpfs filesystem for /sys, with the subsequent parameters |
| # mounting specific files into this directory; |
| # -b /sys/class: symlinks to /sys/devices, categorized by device type; |
| # -b /sys/devices: files with devices details exposed by the kernel; |
| # -b /sys/firmware: files with details about ACPI, VPD, DMI/SMBIOS, etc.; |
| # -b /dev/wilco_event0: file with EC events; |
| # -b /dev/wilco_telem0: file with EC telemetry data; |
| # -S: apply seccomp filters. |
| script |
| # Evaluate which directories are present for binding. Do this without starting |
| # subshells, to avoid breaking upstart's PID tracking. |
| set -- |
| if [ -e /sys/class/power_supply/BAT0 ]; then |
| set -- "$@" -b /sys/class/power_supply/BAT0 |
| fi |
| if [ -e /sys/devices/platform/coretemp.0 ]; then |
| set -- "$@" -b /sys/devices/platform/coretemp.0 |
| fi |
| if [ -e /sys/devices/virtual/hwmon ]; then |
| set -- "$@" -b /sys/devices/virtual/hwmon |
| fi |
| if [ -e /sys/devices/virtual/thermal ]; then |
| set -- "$@" -b /sys/devices/virtual/thermal |
| fi |
| if [ -e /sys/firmware/dmi/tables ]; then |
| set -- "$@" -b /sys/firmware/dmi/tables |
| fi |
| if [ -e /dev/wilco_event0 ]; then |
| set -- "$@" -b /dev/wilco_event0 |
| fi |
| if [ -e /dev/wilco_telem0 ]; then |
| set -- "$@" -b /dev/wilco_telem0 |
| fi |
| |
| exec minijail0 -e -i -l -n -p -r -t -v --uts \ |
| -u wilco_dtc -g wilco_dtc \ |
| --mount-dev \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \ |
| -b /run/wilco_dtc/grpc_sockets,,1 \ |
| -b /run/dbus \ |
| -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \ |
| -b /sys/class/hwmon \ |
| -b /sys/class/thermal \ |
| "$@" \ |
| -S /usr/share/policy/wilco_dtc_supportd-seccomp.policy \ |
| -- /usr/bin/wilco_dtc_supportd |
| end script |