arc/setup/init/minijail/arcvm-per-board-features.conf - third_party/platform2 - Git at Google

 % minijail-config-file v0

 # /usr/sbin/arc-apply-per-board-config internally calls two scripts,
 # generate_camera_profile and /usr/sbin/board_hardware_features, to generate
 # 3 files,
 # /mnt/stateful_partition/encrypted/var/cache/camera/etc/media_profiles.xml,
 # /run/arcvm/host_generated/oem/etc/media_profiles.xml (copy of the first
 # one), and /run/arcvm/host_generated/oem/etc/permissions/platform.xml.
 #
 # /run/chromeos-config: /usr/bin/generate_camera_profile executes
 #     /usr/bin/cros_config on some boards and the command reads the directory.
 #     MS_REC is required since a squashfs image is mounted somewhere in the
 #     tree.
 # /mnt/stateful_partition/encrypted/var/cache/camera: generate_camera_profile
 #     writes results to the directory.
 # /var/cache/camera: generate_camera_profile reads a .json in the directory.
 #     Also, arc-apply-per-board-config adds camera.prop to the directory.
 # /sys: /usr/sbin/board_hardware_features for some boards reads /sys to
 #     detect the board's hardware. /usr/sbin/mosys command which
 #     generate_camera_profile script uses on some boards also depends on /sys.
 # /run/arcvm/host_generated/oem: Both arc-apply-per-board-config and
 #     board_hardware_features write results to the directory.
 # /dev/camera-internal(0|1) (DEV_CAMERA_ARGS): Reef's board_hardware_features
 #     accesses them for determining if the device supports multi cameras.
 # /run/libsegmentation: libsegmentation either use the VPD information stored
 #     in /sys/firmware/vpd, or - at first reboot after install - a local
 #     temporary directory in /run/libsegmentation.

 no-default-runtime-environment
 profile = minimalistic-mountns
 uts
 e
 l
 p
 N
 no-fs-restrictions
 mount = tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = /run/chromeos-config,/run/chromeos-config,none,MS_BIND|MS_REC
 bind-mount = /sys
 bind-mount = /mnt/stateful_partition/encrypted/var/cache/camera,,1
 bind-mount = /run/arcvm/host_generated/oem,,1
 bind-mount = /run/libsegmentation
 bind-mount = /var/cache/camera,,1
	% minijail-config-file v0

	# /usr/sbin/arc-apply-per-board-config internally calls two scripts,
	# generate_camera_profile and /usr/sbin/board_hardware_features, to generate
	# 3 files,
	# /mnt/stateful_partition/encrypted/var/cache/camera/etc/media_profiles.xml,
	# /run/arcvm/host_generated/oem/etc/media_profiles.xml (copy of the first
	# one), and /run/arcvm/host_generated/oem/etc/permissions/platform.xml.
	#
	# /run/chromeos-config: /usr/bin/generate_camera_profile executes
	# /usr/bin/cros_config on some boards and the command reads the directory.
	# MS_REC is required since a squashfs image is mounted somewhere in the
	# tree.
	# /mnt/stateful_partition/encrypted/var/cache/camera: generate_camera_profile
	# writes results to the directory.
	# /var/cache/camera: generate_camera_profile reads a .json in the directory.
	# Also, arc-apply-per-board-config adds camera.prop to the directory.
	# /sys: /usr/sbin/board_hardware_features for some boards reads /sys to
	# detect the board's hardware. /usr/sbin/mosys command which
	# generate_camera_profile script uses on some boards also depends on /sys.
	# /run/arcvm/host_generated/oem: Both arc-apply-per-board-config and
	# board_hardware_features write results to the directory.
	# /dev/camera-internal(0\|1) (DEV_CAMERA_ARGS): Reef's board_hardware_features
	# accesses them for determining if the device supports multi cameras.
	# /run/libsegmentation: libsegmentation either use the VPD information stored
	# in /sys/firmware/vpd, or - at first reboot after install - a local
	# temporary directory in /run/libsegmentation.

	no-default-runtime-environment
	profile = minimalistic-mountns
	uts
	e
	l
	p
	N
	no-fs-restrictions
	mount = tmpfs,/mnt,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = tmpfs,/var,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = /run/chromeos-config,/run/chromeos-config,none,MS_BIND\|MS_REC
	bind-mount = /sys
	bind-mount = /mnt/stateful_partition/encrypted/var/cache/camera,,1
	bind-mount = /run/arcvm/host_generated/oem,,1
	bind-mount = /run/libsegmentation
	bind-mount = /var/cache/camera,,1