| # Copyright 2012 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chrome OS post-mount-encrypted cleanup" |
| author "chromium-os-dev@chromium.org" |
| |
| # This job handles delayed copying of the mount-encrypted log file into |
| # /var/log. Since mount-encrypted forks a filesystem resizing process |
| # into the background, give it a chance to at least start running before |
| # copying the log. Waiting until after system-services seems sufficient, |
| # and additionally does not add any delay to chromeos_startup itself. |
| start on started system-services |
| |
| oom score -100 |
| |
| script |
| # Copy the log (not through symlinks), and retain permissions but use |
| # the default SELinux label for the target. The target should always |
| # be removed since we don't want to follow symlinks on the target. |
| # Use a trailing slash to require that "log" is a directory. |
| # |
| # This is done with cp because it's difficult to precisely replicate this |
| # operation via tmpfiles.d. While using cp can be somewhat dangerous the |
| # use here should be protected from attacks by the fact that it uses -P to |
| # avoid following symlinks, and it's copying only a single file between two |
| # root-owned directories. This means that subvertiting this operation would |
| # require you to already have root access. |
| cp -aPZ --remove-destination /run/mount_encrypted/mount-encrypted.log \ |
| /var/log/ || true # croslint: disable |
| |
| # Dump the log in syslog to preserve mount-encrypted info over reboots. |
| logger -t mount-encrypted -f /var/log/mount-encrypted.log || true |
| end script |
