| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "OOBE Config Restore daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # TODO(zentaro): Add start and stop signals. Currently run manually. |
| |
| # Minijail actually forks off the desired process. |
| expect fork |
| |
| # --profile=minimalistic-mountns Set up a minimalistic mount namespace |
| # -i makes sure minijail0 exits right away. |
| # -p Enter a new PID namespace and run the process as init (pid=1). |
| # -I Runs program as init inside a new pid namespace. |
| # -l Enter a new IPC namespace. |
| # --uts Enters a new UTS namespace. |
| # -n Sets the no_new_privs bit. |
| # -S Apply seccomp filters. |
| # -b Binds /dev/log to /dev/log in chroot. |
| # -u Run as oobe_config_restore user. |
| # -g Run as oobe_config_restore group. |
| |
| # TODO(zentaro): Add secomp filters when implementation is done. |
| exec minijail0 \ |
| --profile=minimalistic-mountns \ |
| -i \ |
| -p -I \ |
| -l \ |
| --uts \ |
| -n \ |
| -b /dev/log \ |
| -u oobe_config_restore -g oobe_config_restore \ |
| /usr/sbin/oobe_config_restore |
| |
| # TODO(zentaro): Add post-start to ensure DBUS endpoint once it is created. |
