| # Copyright 2021 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "DNS proxy daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| respawn |
| respawn limit 3 5 |
| |
| # Do not respawn if the service is terminated on purpose. |
| normal exit 0 |
| |
| # Sacrifice before OOM panic. |
| # TODO(garrick): Add vm size limit. |
| oom score 0 |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| script |
| # Start constructing minijail0 args... |
| args="" |
| |
| # Make sure minijail0 exits right away and won't block upstart. |
| args="${args} -i" |
| |
| # Create a cgroup namespace. |
| args="${args} -N" |
| |
| # Create a UTS namespace to isolate changes to the host / domain name. |
| args="${args} --uts" |
| |
| # Create an IPC namespace (isolate System V IPC objects/POSIX message queues). |
| args="${args} -l" |
| |
| # Remount /proc read-only (prevents any messing with it). |
| args="${args} -r" |
| |
| # Creates new, empty tmp directory (technically, mounts tmpfs). |
| args="${args} -t" |
| |
| # Prevent that execve gains privileges, required for seccomp filters. |
| args="${args} -n" |
| |
| # Apply seccomp policy. |
| args="${args} -S /usr/share/policy/dns-proxy-seccomp.policy" |
| |
| # Use a minimalistic mount namespace. |
| args="${args} --profile minimalistic-mountns" |
| |
| # Enable additional enforcement layer to prevent access to paths not |
| # provided by minimalistic-mountns. |
| args="${args} --enable-profile-fs-restrictions" |
| |
| # Mount /run as tmpfs read-only. |
| args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC" |
| |
| # Bind-mount /run/dbus read-only for D-Bus to work. |
| args="${args} -b /run/dbus" |
| |
| # Bind-mount /run/dns-proxy for writing resolv.conf. |
| args="${args} -b /run/dns-proxy,,1" |
| |
| # Bind-mount /sbin read-only to start sandboxed processes using minijail0. |
| args="${args} -b /sbin" |
| |
| # Bind-mount /etc/ssl/certs read-only to read certificates . This is necessary |
| # for testing using Tast network/virtualnet package as it is bind mounting |
| # over /etc/ssl/certs in the rootfs to inject testing certs. DNS proxy uses |
| # the certificates to do DoH queries. |
| args="${args} -b /etc/ssl/certs" |
| |
| # Bind-mount /run/shill for DNS resolution. |
| args="${args} -b /run/shill" |
| |
| # Bind-mount /var/lib/metrics for writable access to uma-events. |
| args="${args} -b /var" |
| args="${args} -b /var/lib/metrics,,1" |
| |
| # Run as dns-proxy user and group. |
| args="${args} -u dns-proxy -g dns-proxy" |
| |
| # Run with root permissions so that the daemon can start sandboxed processes. |
| # Run with CAP_NET_BIND_SERVICE so that it can bind to default DNS port (53). |
| args="${args} -c cap_sys_admin,cap_net_bind_service=e" |
| |
| # Execute dns-proxy. |
| args="${args} /usr/sbin/dnsproxyd" |
| |
| # -e is not specified because the service needs to connect to servers. |
| |
| exec minijail0 ${args} |
| end script |