| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Authpolicy daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # The service is started by Chrome via UpstartClient::StartAuthPolicyService(). |
| stop on stopping ui |
| respawn |
| |
| pre-start script |
| # Create a folder on encstateful where machine_pass and config.dat are stored. |
| # All other files are written to /tmp which is created fresh for each |
| # authpolicyd invocation. (see -t option). |
| # On older installations (domain join before authpolicy wrote the password |
| # file), the group x access is required by the authpolicyd-exec user to access |
| # the machine keytab file. |
| AUTHPOLICY_LIB_DIR=/var/lib/authpolicyd |
| mkdir -m 0710 -p "${AUTHPOLICY_LIB_DIR}" |
| chown -R authpolicyd:authpolicyd "${AUTHPOLICY_LIB_DIR}" |
| |
| # Create a folder in /run where the flags default level is stored. Files in |
| # /run are wiped on reboot, so that logging is reset on reboot and not |
| # permanently persisted for privacy and security reasons. |
| AUTHPOLICY_RUN_DIR=/run/authpolicyd |
| mkdir -m 0700 -p "${AUTHPOLICY_RUN_DIR}" |
| chown -R authpolicyd:authpolicyd "${AUTHPOLICY_RUN_DIR}" |
| end script |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| script |
| # Start constructing minijail0 args... |
| args="" |
| |
| # Make sure minijail0 exits right away and won't block upstart. |
| args="${args} -i" |
| |
| # Create a PID namespace (process won't see any other processes). |
| args="${args} -p" |
| |
| # Create an IPC namespace (isolate System V IPC objects/POSIX message queues). |
| args="${args} -l" |
| |
| # Remount /proc read-only (prevents any messing with it). |
| args="${args} -r" |
| |
| # Enter new mount namespace, allows to change mounts inside jail. |
| args="${args} -v" |
| |
| # Creates new, empty tmp directory (technically, mounts tmpfs). |
| args="${args} -t" |
| |
| # Prevent that execve gains privileges, required for seccomp filters. |
| args="${args} -n" |
| |
| # Set the CAP_SETPCAP and CAP_SETUID capabilities to set authpolicyd-exec as |
| # saved UID and drops caps. This allows authpolicyd to switch to the |
| # authpolicyd-exec user when running Samba code or parsing data. Note that |
| # all caps are dropped right after startup. |
| args="${args} -c 180" |
| |
| # Create a pivot_root at the target folder. |
| args="${args} -P /tmp/authpolicyd_chroot" |
| |
| # Make sure mounts are remounted as slave mounts, so that the user's |
| # cryptohome can propagate into the jail. Note that |
| # /run/daemon-store/authpolicyd is a shared mount. |
| args="${args} -Kslave" |
| |
| # Bind-mount / read-only. |
| args="${args} -b /" |
| |
| # Bind-mount /dev read-only for Samba to work. |
| args="${args} -b /dev" |
| |
| # Bind-mount /run read-only for Samba and D-Bus to work. |
| args="${args} -b /run" |
| |
| # Bind-mount /run/authpolicyd read-write to store debug flags and auth data. |
| args="${args} -b /run/authpolicyd,,1" |
| |
| # Bind-mount /run/daemon-store/authpolicyd read-write to back up auth state. |
| # Mount events for the user's cryptohome will propagate into our mount |
| # namespace. See |
| # https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md#securely-mounting-cryptohome-daemon-store-folders |
| # for more details. In case authpolicyd starts up when the user's cryptohome |
| # is already mounted (e.g. after a crash), the 0x5000 option (MS_REC|MS_BIND) |
| # makes sure the daemon store is visible inside the namespace as well. |
| args="${args} -k /run/daemon-store/authpolicyd,/run/daemon-store/authpolicyd,none,0x5000" |
| |
| # Bind-mount /sys read-only for Samba to work. |
| args="${args} -b /sys" |
| |
| # Bind-mount /var read-only for Samba to work. |
| args="${args} -b /var" |
| |
| # Bind-mount /var/lib/authpolicyd read-write to store daemon state. |
| args="${args} -b /var/lib/authpolicyd,,1" |
| |
| # Bind-mount /var/lib/metrics,/var/lib/metrics read-write to store UMA |
| # metrics. |
| args="${args} -b /var/lib/metrics,,1" |
| |
| # Run as authpolicyd user and group. |
| args="${args} -u authpolicyd -g authpolicyd" |
| |
| # Inherit authpolicyd's supplementary groups, in particular 'policy-readers' |
| # to read device policy. |
| args="${args} -G" |
| |
| # Execute authpolicyd. |
| args="${args} /usr/sbin/authpolicyd" |
| |
| # -e is not specified because the service needs to connect to an AD server to |
| # join a domain, authenticate users and fetch user and device policies. |
| |
| exec minijail0 ${args} |
| end script |
| |
| # TO TEST: |
| # - Run without exec |
| # - Remove -t (so test code can read files form there), and add -b /tmp,/tmp,1 |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u authpolicyd -g authpolicyd /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.AuthPolicy |