camera/common/minijail/cros-camera-gpu-algo.conf - third_party/platform2 - Git at Google

 % minijail-config-file v0

 # Enter a new mount, network, PID, IPC and cgroup namespace.
 ns-mount
 e
 p
 l
 N

 # Change user and group to arc-camera. Need -G to inherit video group for GPU
 # access.
 u = arc-camera
 g = arc-camera
 G

 # Set -i to fork and daemonize an init-like process that Upstart will track
 # as the service.
 i

 # Chroot and mount /dev, /sys, /proc, /tmp and /run/camera.
 P = /mnt/empty
 bind-mount = /
 bind-mount = /proc
 bind-mount = /dev
 bind-mount = /sys
 mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 bind-mount = /run/camera,,1
 t

 # Mount /run/chromeos-config/v1 for access to chromeos-config.
 bind-mount = /run/chromeos-config/v1

 # Write PID to /sys/fs/cgroup/cpuset/user_space/media/tasks.
 f = /sys/fs/cgroup/cpuset/user_space/media/tasks

 # Assume static ELF binary to give arc-camera access to /proc/self.
 T = static

 # Drop privileges
 n
	% minijail-config-file v0

	# Enter a new mount, network, PID, IPC and cgroup namespace.
	ns-mount
	e
	p
	l
	N

	# Change user and group to arc-camera. Need -G to inherit video group for GPU
	# access.
	u = arc-camera
	g = arc-camera
	G

	# Set -i to fork and daemonize an init-like process that Upstart will track
	# as the service.
	i

	# Chroot and mount /dev, /sys, /proc, /tmp and /run/camera.
	P = /mnt/empty
	bind-mount = /
	bind-mount = /proc
	bind-mount = /dev
	bind-mount = /sys
	mount = tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	bind-mount = /run/camera,,1
	t

	# Mount /run/chromeos-config/v1 for access to chromeos-config.
	bind-mount = /run/chromeos-config/v1

	# Write PID to /sys/fs/cgroup/cpuset/user_space/media/tasks.
	f = /sys/fs/cgroup/cpuset/user_space/media/tasks

	# Assume static ELF binary to give arc-camera access to /proc/self.
	T = static

	# Drop privileges
	n