| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Downloadable content service daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| expect fork |
| respawn |
| respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying. |
| |
| pre-start script |
| # Initialize: |
| # -The DLC image directory. |
| # -The DLC metadata directory. |
| for dlc_path in "/var/cache/dlc" "/var/lib/dlcservice" |
| do |
| mkdir -p "${dlc_path}" |
| chmod -R u+rwX,go+rX,go-w "${dlc_path}" |
| chown -R dlcservice:dlcservice "${dlc_path}" |
| done |
| # -The DLC preload directory. |
| # The preload directory will only be created for test images. |
| DLC_PRELOAD_PATH="/var/cache/dlc-images" |
| if [ -d "${DLC_PRELOAD_PATH}" ]; then |
| chown -R dlcservice:dlcservice "${DLC_PRELOAD_PATH}" |
| fi |
| end script |
| |
| script |
| set -- |
| DLC_PRELOAD_PATH="/var/cache/dlc-images" |
| if [ -d "${DLC_PRELOAD_PATH}" ]; then |
| set -- "$@" -b "${DLC_PRELOAD_PATH}" |
| fi |
| # -i Exit immediately after fork. |
| # -u Run as dlcservice user. |
| # -g Run as dlcservice group. |
| # -G Inherit supplementary groups from new uid. |
| # -n prevents the executable from gaining new privileges. |
| # minimal mount namespace without /dev because we want real /dev. |
| # tmpfs on /run, /var, /sys so we can create mounts under them. |
| # -b /run/dbus for system dbus socket. |
| # -b /var/lib/metrics Mount with write permissions for uma metrics. |
| # -b /var/lib/dlcservice with write for preferences. |
| # -b /var/cache/dlc write for dlc images. |
| # -b /var/cache/dlc-images for preloaded dlc images. |
| # -b /sys/block, -b /sys/devices, -b /dev for boot slot detection. |
| # -b /run/systemd/journal/dev-log for logging. |
| # -S Set seccomp filter using dlcservice-seccomp.policy. |
| exec minijail0 -i -u dlcservice -g dlcservice -G -n \ |
| --profile=minimalistic-mountns-nodev \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k 'tmpfs,/sys,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /run/dbus \ |
| -b /var/lib/metrics,,1 \ |
| -b /var/lib/dlcservice,,1 \ |
| -b /var/cache/dlc,,1 \ |
| -b /sys/block \ |
| -b /sys/devices \ |
| -b /dev \ |
| -b /run/systemd/journal/dev-log \ |
| "$@" \ |
| -S /usr/share/policy/dlcservice-seccomp.policy /usr/sbin/dlcservice |
| end script |