arc/data-snapshotd/init/arc-data-snapshotd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Start arc-data-snapshotd daemon in Chrome OS."
 author          "chromium-os-dev@chromium.org"

 # Chrome browser manages a lifetime of arc-data-snapshotd daemon via upstart.
 # The daemon is responsible for ARC snapshot of data/ directory management.
 stop on stopping ui

 # Killable for memory leaks.
 oom score -100

 respawn
 # If the job respawns 3 times in 10 seconds, stop trying.
 respawn limit 3 10

 env SNAPSHOT_DIR=/var/cache/arc-data-snapshot
 import RESTART_FRECON

 pre-start script
   # Clean up the directory for temporary images on every startup.
   rm -rf "${SNAPSHOT_DIR}/tmp"

   if [ ! -d "${SNAPSHOT_DIR}" ]; then
     mkdir -m 755 "${SNAPSHOT_DIR}"
     mkdir -m 755 "${SNAPSHOT_DIR}/images"
     mkdir -m 755 "${SNAPSHOT_DIR}/tmp"

     chown -R arc-data-snapshotd:arc-data-snapshotd "${SNAPSHOT_DIR}"

     cp /usr/share/chromeos-assets/images/boot_message_light.png \
        "${SNAPSHOT_DIR}/images/boot_message.png"
   fi

 end script

 # Used jailing parameters:
 #   -c: capabalities:
 #       cap_dac_override,cap_fowner,cap_chown: let arc-data-snapshotd user to
 #       copy/remove/stat android-data regardless of file ownership;
 #       cap_sys_admin: let arc-data-snapshotd user to modify security
 #       attributes of the copied files;
 #   --ambient: let subprocesses inherit capabilities;
 #   -e: new network namespace;
 #   -l: new IPC namespace;
 #   -n: the no_new_privs bit;
 #   -N: new cgroup namespace;
 #   --uts: new UTS/hostname namespace;
 #   -K: no mount mode is changed by default;
 #   -v: new VFS namespace;
 #   -r: remount /proc read-only;
 #   -p: new PID namespace;
 #   -I: run a program as init (pid 1) inside a new pid namespace;
 #   -u, -g: user account and group;
 #   --profile=minimalistic-mountns: start with minimal mounts;
 #   /var/cache/arc-data-snapshot: for storing snapshot related info;
 #   /run/dbus: for communication over bus;
 #   /run/frecon: for communication with frecon;
 #   /dev/input: for watching ESC key presses;
 #   /dev/pts,,1: for communication with frecon;
 #   -S: apply seccomp filters.
 script
   logger -t "${UPSTART_JOB}" "Start arc-data-snapshotd"
   set -x

   # Show update_arc_data_snapshot UI screen if needed.
   # TODO(pbond): remove this frecon restart once it is no longer needed.
   # Currently, boot-splash screen is not able to be updated via esc sequence.
   if [ "${RESTART_FRECON}" = "1" ]; then
     IMAGE_BACKGROUND_RGB=fefefe IMAGE_TEXT_COLOR=Black \
     ASSETS_IMAGE_PATH="${SNAPSHOT_DIR}/images" MESSAGE_OPTIONS=--markup \
     chromeos-boot-alert update_arc_data_snapshot
   fi

   exec minijail0 -c 'cap_dac_override,cap_chown,cap_fowner,cap_sys_admin+eip' \
       --ambient -e -l -n -N -r -K -v -p -I \
       --uts -u arc-data-snapshotd -g arc-data-snapshotd \
       --profile=minimalistic-mountns \
       -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
       -b /var/cache/arc-data-snapshot,,1 \
       -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
       -b /run/dbus \
       -b /run/frecon \
       -b /dev/input \
       -b /dev/pts,,1 \
       -S /usr/share/policy/arc-data-snapshotd-seccomp.policy \
       -- /usr/bin/arc-data-snapshotd
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u arc-data-snapshotd -g arc-data-snapshotd \
     /usr/bin/gdbus wait --system --timeout 15 org.chromium.ArcDataSnapshotd

 post-stop script
   logger -t "${UPSTART_JOB}" "Post-stop arc-data-snapshotd"
   display_boot_message action restore_frecon
 end script
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start arc-data-snapshotd daemon in Chrome OS."
	author "chromium-os-dev@chromium.org"

	# Chrome browser manages a lifetime of arc-data-snapshotd daemon via upstart.
	# The daemon is responsible for ARC snapshot of data/ directory management.
	stop on stopping ui

	# Killable for memory leaks.
	oom score -100

	respawn
	# If the job respawns 3 times in 10 seconds, stop trying.
	respawn limit 3 10

	env SNAPSHOT_DIR=/var/cache/arc-data-snapshot
	import RESTART_FRECON

	pre-start script
	# Clean up the directory for temporary images on every startup.
	rm -rf "${SNAPSHOT_DIR}/tmp"

	if [ ! -d "${SNAPSHOT_DIR}" ]; then
	mkdir -m 755 "${SNAPSHOT_DIR}"
	mkdir -m 755 "${SNAPSHOT_DIR}/images"
	mkdir -m 755 "${SNAPSHOT_DIR}/tmp"

	chown -R arc-data-snapshotd:arc-data-snapshotd "${SNAPSHOT_DIR}"

	cp /usr/share/chromeos-assets/images/boot_message_light.png \
	"${SNAPSHOT_DIR}/images/boot_message.png"
	fi

	end script

	# Used jailing parameters:
	# -c: capabalities:
	# cap_dac_override,cap_fowner,cap_chown: let arc-data-snapshotd user to
	# copy/remove/stat android-data regardless of file ownership;
	# cap_sys_admin: let arc-data-snapshotd user to modify security
	# attributes of the copied files;
	# --ambient: let subprocesses inherit capabilities;
	# -e: new network namespace;
	# -l: new IPC namespace;
	# -n: the no_new_privs bit;
	# -N: new cgroup namespace;
	# --uts: new UTS/hostname namespace;
	# -K: no mount mode is changed by default;
	# -v: new VFS namespace;
	# -r: remount /proc read-only;
	# -p: new PID namespace;
	# -I: run a program as init (pid 1) inside a new pid namespace;
	# -u, -g: user account and group;
	# --profile=minimalistic-mountns: start with minimal mounts;
	# /var/cache/arc-data-snapshot: for storing snapshot related info;
	# /run/dbus: for communication over bus;
	# /run/frecon: for communication with frecon;
	# /dev/input: for watching ESC key presses;
	# /dev/pts,,1: for communication with frecon;
	# -S: apply seccomp filters.
	script
	logger -t "${UPSTART_JOB}" "Start arc-data-snapshotd"
	set -x

	# Show update_arc_data_snapshot UI screen if needed.
	# TODO(pbond): remove this frecon restart once it is no longer needed.
	# Currently, boot-splash screen is not able to be updated via esc sequence.
	if [ "${RESTART_FRECON}" = "1" ]; then
	IMAGE_BACKGROUND_RGB=fefefe IMAGE_TEXT_COLOR=Black \
	ASSETS_IMAGE_PATH="${SNAPSHOT_DIR}/images" MESSAGE_OPTIONS=--markup \
	chromeos-boot-alert update_arc_data_snapshot
	fi

	exec minijail0 -c 'cap_dac_override,cap_chown,cap_fowner,cap_sys_admin+eip' \
	--ambient -e -l -n -N -r -K -v -p -I \
	--uts -u arc-data-snapshotd -g arc-data-snapshotd \
	--profile=minimalistic-mountns \
	-k 'tmpfs,/var,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /var/cache/arc-data-snapshot,,1 \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /run/dbus \
	-b /run/frecon \
	-b /dev/input \
	-b /dev/pts,,1 \
	-S /usr/share/policy/arc-data-snapshotd-seccomp.policy \
	-- /usr/bin/arc-data-snapshotd
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u arc-data-snapshotd -g arc-data-snapshotd \
	/usr/bin/gdbus wait --system --timeout 15 org.chromium.ArcDataSnapshotd

	post-stop script
	logger -t "${UPSTART_JOB}" "Post-stop arc-data-snapshotd"
	display_boot_message action restore_frecon
	end script