| # Copyright 2021 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Bluetooth Manager" |
| author "ChromeOS BT <chromeos-bt-team@google.com>" |
| |
| start on started boot-services |
| stop on stopping boot-services |
| |
| # Limit respawning in case of crashloop |
| respawn limit 10 5 |
| respawn |
| |
| # This daemon manages the Bluetooth controllers on a system. It can be killed at |
| # the cost of an interruption in Bluetooth connectivity. |
| oom score -100 |
| |
| # Additional flags for `btmanagerd` |
| env BTMANAGERD_FLAGS="" |
| |
| script |
| # Parameters that can't be set: |
| # -e enters new network namespace. This prevents access to raw socket. |
| # |
| # Parameters that are set and what they do. |
| # -u bluetooth changes user. |
| # -g bluetooth changes group. |
| # -G inherit bluetooth's supplementary groups. |
| # -n prevents that execve gains privileges, required for seccomp filters. |
| # -l creates IPC namespace (isolates System V IPC objects/POSIX message |
| # queues). |
| # --uts enters a new UTS namespace. |
| # --profile minimalistic-mountns sets up minimalistic mount namespace. |
| # equivalent to -v -t -r --mount-dev -P /var/empty -b / -b /proc -b /dev/log |
| # -k /run,/run,tmpfs,... mounts tmpfs at /run |
| # -k /var,/var,tmpfs,... mounts tmpfs at /var |
| # -k /sys,/sys,tmpfs... mounts tmpfs at /sys |
| # -b /run/dbus mount read-only, required for D-Bus. |
| # -b /sys/class mount read-only. Only /sys/class/bluetooth is needed |
| # (it's required for hci devices), but may not exist yet when the |
| # service starts. |
| # -b /var/run/bluetooth mount read-only, required for pid files. |
| # -b /var/lib/misc/ allows read-write access to select floss/bluez daemon |
| # -b /var/lib/bluetooth/ allows read-write access to bluetooth config |
| # -c 3400 = cap_net_raw (1 << 13) | cap_net_admin (1 << 12) | \ |
| # cap_net_bind_service (1 << 10) |
| exec minijail0 \ |
| -u bluetooth -g bluetooth -G -n -l --uts \ |
| --profile minimalistic-mountns \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -k '/sys,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b /sys/class \ |
| -b /var/run/bluetooth \ |
| -b /var/lib/misc,,1 \ |
| -b /var/lib/bluetooth,,1 \ |
| -c 'cap_net_raw+ep cap_net_admin+ep cap_net_bind_service+ep' \ |
| -- /usr/bin/btmanagerd ${BTMANAGERD_FLAGS} |
| end script |