| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start arc-obb-mounter D-Bus service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started arcpp-post-login-services |
| stop on stopped arcpp-post-login-services |
| |
| # The following environment variables are passed from session_manager |
| import CHROMEOS_USER |
| |
| env ROOTFSDIR=/opt/google/containers/arc-obb-mounter/mountpoints/container-root |
| |
| script |
| logger -t "${UPSTART_JOB}" "Start arc-obb-mounter" |
| set -x |
| |
| CRYPTOHOME_ROOT_PATH=$(cryptohome-path system "${CHROMEOS_USER}") |
| if [ ! -d "${CRYPTOHOME_ROOT_PATH}" ]; then |
| logger -t "${UPSTART_JOB}" \ |
| "Cryptohome root directory ${CRYPTOHOME_ROOT_PATH} does not exist" |
| exit 1 |
| fi |
| |
| # Start constructing minijail0 args... |
| args="minijail0" |
| |
| # Enter a new mount namespace. |
| args="$args -v" |
| |
| # Enter a new network namespace. |
| args="$args -e" |
| |
| # Enter a new PID namespace. |
| args="$args -p" |
| |
| # Enter a new IPC namespace. |
| args="$args -l" |
| |
| # pivot_root to $ROOTFSDIR. |
| args="$args -P $ROOTFSDIR" |
| |
| # Allow sharing mounts between CrOS and Android. |
| # WARNING: BE CAREFUL not to unexpectedly expose shared mounts in following |
| # bind mounts! Always remount them with MS_REC|MS_PRIVATE unless you want to |
| # share those mounts explicitly. |
| args="$args -K" |
| |
| # /data |
| # 0x1000 = bind |
| args="$args -k ${CRYPTOHOME_ROOT_PATH}/android-data/data,/data,none,0x1000" |
| # 0x102f = bind,remount,noexec,nodev,nosuid,ro |
| args="$args -k none,/data,none,0x102f" |
| |
| # /lib |
| # 0x1000 = bind |
| args="$args -k /lib,/lib,none,0x1000" |
| # 0x1027 = bind,remount,nodev,nosuid,ro |
| args="$args -k none,/lib,none,0x1027" |
| |
| # /lib64 |
| if [ -e /lib64 ]; then |
| # 0x1000 = bind |
| args="$args -k /lib64,/lib64,none,0x1000" |
| # 0x1027 = bind,remount,nodev,nosuid,ro |
| args="$args -k none,/lib64,none,0x1027" |
| fi |
| |
| # /proc |
| # 0xe = noexec,nodev,nosuid |
| args="$args -k proc,/proc,proc,0xe" |
| |
| # /usr |
| # 0x1000 = bind |
| args="$args -k /usr,/usr,none,0x1000" |
| # 0x1027 = bind,remount,nodev,nosuid,ro |
| args="$args -k none,/usr,none,0x1027" |
| |
| # For D-Bus system bus socket. |
| # 0x1000 = bind |
| args="$args -k /run/dbus,/run/dbus,none,0x1000" |
| # 0x1027 = bind,remount,noexec,nodev,nosuid,ro |
| args="$args -k none,/run/dbus,none,0x102f" |
| |
| # Mark PRIVATE recursively under (pivot) root, in order not to expose shared |
| # mount points accidentally. |
| # 0x44000 = rec,private |
| args="$args -k none,/,none,0x44000" |
| |
| # OBB mount destination directory. |
| # 0x1000 = bind |
| args="$args -k /run/arc/obb,/var/run/arc/obb,none,0x1000" |
| # 0x2e = remount,noexec,nodev,nosuid |
| args="$args -k none,/var/run/arc/obb,none,0x2e" |
| |
| args="$args -- /usr/bin/arc-obb-mounter" |
| |
| logger -t "${UPSTART_JOB}" "Executing: $args" |
| exec $args |
| end script |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-obb-mounter" |