biod/init/bio_crypto_init.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Binary to program bio sensors with TPM seed."
 author        "chromium-os-dev@chromium.org"

 start on starting boot-services

 env LOG_DIR=/var/log/bio_crypto_init
 env FP_DEV=/dev/cros_fp

 pre-start script
   mkdir -m 755 -p "${LOG_DIR}"
   chown biod:biod "${LOG_DIR}"
   if [ -c "${FP_DEV}" ]; then
     # Since we are running before udev executes, we need to manually make the
     # dev node accessible inside the sandbox.
     chown root:biod "${FP_DEV}"
     chmod 660 "${FP_DEV}"
   fi
 end script

 script
   # Check the existence of ${FP_DEV}.
   if [ ! -c "${FP_DEV}" ]; then
     echo "${FP_DEV} not available, exiting." > "${LOG_DIR}/bio_crypto_init.log"
     exit 0
   fi

   # Here (in order) are a list of the args added:
   # - Create and enter new UTS namespace (hostname/NIS domain name).
   # - Create and enter new network namespace.
   # - Create and enter new IPC namespace.
   # - Create and enter new cgroup namespace.
   # - Create and enter new PID namespace.
   # - Same options as minimalistic-mountns except we do not mount /dev/log
   #   because it doesn't necessarily exist since journald hasn't started yet.
   # - Get a writeable and empty /run tmpfs path.
   # - Mount the /run/biod_seed file.
   # - Get a writeable and empty /var tmpfs path.
   # - Mount the log directory in it.
   # - Mount the FPMCU dev node.
   # - Run as biod user and group.
   # - Inherit supplementary groups from from user biod.
   # - Grant no caps.
   # - No new privileges (no_new_privs).
   # - Use bio_crypto_init seccomp policy.
   # - Execute the binary.
   exec minijail0                                                         \
     --uts                                                                \
     -e                                                                   \
     -l                                                                   \
     -N                                                                   \
     -p                                                                   \
     -v -P /mnt/empty -b / -b /proc -t -r --mount-dev                     \
     -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /run/bio_crypto_init,,1                                           \
     -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b ${LOG_DIR},,1                                                     \
     -b ${FP_DEV}                                                         \
     -u biod -g biod                                                      \
     -G                                                                   \
     -c 0                                                                 \
     -n                                                                   \
     -S /usr/share/policy/bio-crypto-init-seccomp.policy                  \
     -- /usr/bin/bio_crypto_init                                          \
     --log_dir=${LOG_DIR}
 end script

 # Ensure the /run file is cleaned up in case it still exists.
 post-stop script
   rm -f /run/bio_crypto_init/seed
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Binary to program bio sensors with TPM seed."
	author "chromium-os-dev@chromium.org"

	start on starting boot-services

	env LOG_DIR=/var/log/bio_crypto_init
	env FP_DEV=/dev/cros_fp

	pre-start script
	mkdir -m 755 -p "${LOG_DIR}"
	chown biod:biod "${LOG_DIR}"
	if [ -c "${FP_DEV}" ]; then
	# Since we are running before udev executes, we need to manually make the
	# dev node accessible inside the sandbox.
	chown root:biod "${FP_DEV}"
	chmod 660 "${FP_DEV}"
	fi
	end script

	script
	# Check the existence of ${FP_DEV}.
	if [ ! -c "${FP_DEV}" ]; then
	echo "${FP_DEV} not available, exiting." > "${LOG_DIR}/bio_crypto_init.log"
	exit 0
	fi

	# Here (in order) are a list of the args added:
	# - Create and enter new UTS namespace (hostname/NIS domain name).
	# - Create and enter new network namespace.
	# - Create and enter new IPC namespace.
	# - Create and enter new cgroup namespace.
	# - Create and enter new PID namespace.
	# - Same options as minimalistic-mountns except we do not mount /dev/log
	# because it doesn't necessarily exist since journald hasn't started yet.
	# - Get a writeable and empty /run tmpfs path.
	# - Mount the /run/biod_seed file.
	# - Get a writeable and empty /var tmpfs path.
	# - Mount the log directory in it.
	# - Mount the FPMCU dev node.
	# - Run as biod user and group.
	# - Inherit supplementary groups from from user biod.
	# - Grant no caps.
	# - No new privileges (no_new_privs).
	# - Use bio_crypto_init seccomp policy.
	# - Execute the binary.
	exec minijail0 \
	--uts \
	-e \
	-l \
	-N \
	-p \
	-v -P /mnt/empty -b / -b /proc -t -r --mount-dev \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /run/bio_crypto_init,,1 \
	-k 'tmpfs,/var,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b ${LOG_DIR},,1 \
	-b ${FP_DEV} \
	-u biod -g biod \
	-G \
	-c 0 \
	-n \
	-S /usr/share/policy/bio-crypto-init-seccomp.policy \
	-- /usr/bin/bio_crypto_init \
	--log_dir=${LOG_DIR}
	end script

	# Ensure the /run file is cleaned up in case it still exists.
	post-stop script
	rm -f /run/bio_crypto_init/seed
	end script