arc/container/obb-mounter/init/arc-obb-mounter.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2016 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start arc-obb-mounter D-Bus service"
 author        "chromium-os-dev@chromium.org"

 start on started arcpp-post-login-services
 stop on stopped arcpp-post-login-services

 # The following environment variables are passed from session_manager
 import CHROMEOS_USER

 env ROOTFSDIR=/opt/google/containers/arc-obb-mounter/mountpoints/container-root

 script
   logger -t "${UPSTART_JOB}" "Start arc-obb-mounter"
   set -x

   CRYPTOHOME_ROOT_PATH=$(cryptohome-path system "${CHROMEOS_USER}")
   if [ ! -d "${CRYPTOHOME_ROOT_PATH}" ]; then
     logger -t "${UPSTART_JOB}" \
       "Cryptohome root directory ${CRYPTOHOME_ROOT_PATH} does not exist"
     exit 1
   fi

   # Start constructing minijail0 args...
   args="minijail0"

   # Enter a new mount namespace.
   args="$args -v"

   # Enter a new network namespace.
   args="$args -e"

   # Enter a new PID namespace.
   args="$args -p"

   # Enter a new IPC namespace.
   args="$args -l"

   # pivot_root to $ROOTFSDIR.
   args="$args -P $ROOTFSDIR"

   # Allow sharing mounts between CrOS and Android.
   # WARNING: BE CAREFUL not to unexpectedly expose shared mounts in following
   # bind mounts! Always remount them with MS_REC|MS_PRIVATE unless you want to
   # share those mounts explicitly.
   args="$args -K"

   # /data
   # 0x1000 = bind
   args="$args -k ${CRYPTOHOME_ROOT_PATH}/android-data/data,/data,none,0x1000"
   # 0x102f = bind,remount,noexec,nodev,nosuid,ro
   args="$args -k none,/data,none,0x102f"

   # /lib
   # 0x1000 = bind
   args="$args -k /lib,/lib,none,0x1000"
   # 0x1027 = bind,remount,nodev,nosuid,ro
   args="$args -k none,/lib,none,0x1027"

   # /lib64
   if [ -e /lib64 ]; then
     # 0x1000 = bind
     args="$args -k /lib64,/lib64,none,0x1000"
     # 0x1027 = bind,remount,nodev,nosuid,ro
     args="$args -k none,/lib64,none,0x1027"
   fi

   # /proc
   # 0xe = noexec,nodev,nosuid
   args="$args -k proc,/proc,proc,0xe"

   # /usr
   # 0x1000 = bind
   args="$args -k /usr,/usr,none,0x1000"
   # 0x1027 = bind,remount,nodev,nosuid,ro
   args="$args -k none,/usr,none,0x1027"

   # For D-Bus system bus socket.
   # 0x1000 = bind
   args="$args -k /run/dbus,/run/dbus,none,0x1000"
   # 0x1027 = bind,remount,noexec,nodev,nosuid,ro
   args="$args -k none,/run/dbus,none,0x102f"

   # Mark PRIVATE recursively under (pivot) root, in order not to expose shared
   # mount points accidentally.
   # 0x44000 = rec,private
   args="$args -k none,/,none,0x44000"

   # OBB mount destination directory.
   # 0x1000 = bind
   args="$args -k /run/arc/obb,/var/run/arc/obb,none,0x1000"
   # 0x2e = remount,noexec,nodev,nosuid
   args="$args -k none,/var/run/arc/obb,none,0x2e"

   args="$args -- /usr/bin/arc-obb-mounter"

   logger -t "${UPSTART_JOB}" "Executing: $args"
   exec $args
 end script

 post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-obb-mounter"
	# Copyright 2016 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start arc-obb-mounter D-Bus service"
	author "chromium-os-dev@chromium.org"

	start on started arcpp-post-login-services
	stop on stopped arcpp-post-login-services

	# The following environment variables are passed from session_manager
	import CHROMEOS_USER

	env ROOTFSDIR=/opt/google/containers/arc-obb-mounter/mountpoints/container-root

	script
	logger -t "${UPSTART_JOB}" "Start arc-obb-mounter"
	set -x

	CRYPTOHOME_ROOT_PATH=$(cryptohome-path system "${CHROMEOS_USER}")
	if [ ! -d "${CRYPTOHOME_ROOT_PATH}" ]; then
	logger -t "${UPSTART_JOB}" \
	"Cryptohome root directory ${CRYPTOHOME_ROOT_PATH} does not exist"
	exit 1
	fi

	# Start constructing minijail0 args...
	args="minijail0"

	# Enter a new mount namespace.
	args="$args -v"

	# Enter a new network namespace.
	args="$args -e"

	# Enter a new PID namespace.
	args="$args -p"

	# Enter a new IPC namespace.
	args="$args -l"

	# pivot_root to $ROOTFSDIR.
	args="$args -P $ROOTFSDIR"

	# Allow sharing mounts between CrOS and Android.
	# WARNING: BE CAREFUL not to unexpectedly expose shared mounts in following
	# bind mounts! Always remount them with MS_REC\|MS_PRIVATE unless you want to
	# share those mounts explicitly.
	args="$args -K"

	# /data
	# 0x1000 = bind
	args="$args -k ${CRYPTOHOME_ROOT_PATH}/android-data/data,/data,none,0x1000"
	# 0x102f = bind,remount,noexec,nodev,nosuid,ro
	args="$args -k none,/data,none,0x102f"

	# /lib
	# 0x1000 = bind
	args="$args -k /lib,/lib,none,0x1000"
	# 0x1027 = bind,remount,nodev,nosuid,ro
	args="$args -k none,/lib,none,0x1027"

	# /lib64
	if [ -e /lib64 ]; then
	# 0x1000 = bind
	args="$args -k /lib64,/lib64,none,0x1000"
	# 0x1027 = bind,remount,nodev,nosuid,ro
	args="$args -k none,/lib64,none,0x1027"
	fi

	# /proc
	# 0xe = noexec,nodev,nosuid
	args="$args -k proc,/proc,proc,0xe"

	# /usr
	# 0x1000 = bind
	args="$args -k /usr,/usr,none,0x1000"
	# 0x1027 = bind,remount,nodev,nosuid,ro
	args="$args -k none,/usr,none,0x1027"

	# For D-Bus system bus socket.
	# 0x1000 = bind
	args="$args -k /run/dbus,/run/dbus,none,0x1000"
	# 0x1027 = bind,remount,noexec,nodev,nosuid,ro
	args="$args -k none,/run/dbus,none,0x102f"

	# Mark PRIVATE recursively under (pivot) root, in order not to expose shared
	# mount points accidentally.
	# 0x44000 = rec,private
	args="$args -k none,/,none,0x44000"

	# OBB mount destination directory.
	# 0x1000 = bind
	args="$args -k /run/arc/obb,/var/run/arc/obb,none,0x1000"
	# 0x2e = remount,noexec,nodev,nosuid
	args="$args -k none,/var/run/arc/obb,none,0x2e"

	args="$args -- /usr/bin/arc-obb-mounter"

	logger -t "${UPSTART_JOB}" "Executing: $args"
	exec $args
	end script

	post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-obb-mounter"