biod: bio_crypto_init mustn't mount /dev/log
Minijail's minimalistic-mountns profile mounts /dev/log. However
/dev/log is created by journald which hasn't necessarily started when
bio_crypto_init is starting. So instead of using the profile we expand
the options and avoid mounting /dev/log.
BUG=b:130289868
BUG=chromium:951941
TEST=cros deploy biod to the DUT and reboot, fingerprint unlocking works
as expected.
Change-Id: I3b7954e37a3ca659ca19bbc9f6268ab5dfe2582c
Reviewed-on: https://chromium-review.googlesource.com/1564981
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Chris Morin <cmtm@chromium.org>
diff --git a/biod/init/bio_crypto_init.conf b/biod/init/bio_crypto_init.conf
index 29c4ab5..627305c 100644
--- a/biod/init/bio_crypto_init.conf
+++ b/biod/init/bio_crypto_init.conf
@@ -34,10 +34,8 @@
# - Create and enter new IPC namespace.
# - Create and enter new cgroup namespace.
# - Create and enter new PID namespace.
- # - Set up a new VFS namespace (although this should be covered by
- # minimalistic-mountns, leaving this out yields the following error:
- # "Can't skip marking mounts as MS_PRIVATE without mount namespaces.")
- # - Use the minimal mountns profile to start.
+ # - Same options as minimalistic-mountns except we do not mount /dev/log
+ # because it doesn't necessarily exist since journald hasn't started yet.
# - Get a writeable and empty /run tmpfs path.
# - Mount the /run/biod_seed file.
# - Get a writeable and empty /var tmpfs path.
@@ -55,8 +53,7 @@
-l \
-N \
-p \
- -v \
- --profile minimalistic-mountns \
+ -v -P /mnt/empty -b / -b /proc -t -r --mount-dev \
-k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
-b /run/bio_crypto_init,,1 \
-k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \