| % minijail-config-file v0 |
| |
| # Make sure minijail0 exits right away and won't block upstart. |
| i |
| |
| # Create a cgroup namespace. |
| N |
| |
| # Create a UTS namespace to isolate changes to the host / domain name. |
| uts |
| |
| # Create an IPC namespace (isolate System V IPC objects/POSIX message queues). |
| l |
| |
| # Remount /proc read-only (prevents any messing with it). |
| r |
| |
| # Creates new, empty tmp directory (technically, mounts tmpfs). |
| t |
| |
| # Prevent that execve gains privileges, required for seccomp filters. |
| n |
| |
| # Apply seccomp policy. |
| S = /usr/share/policy/system-proxy-seccomp.policy |
| |
| # Use a minimalistic mount namespace. |
| profile = minimalistic-mountns |
| no-fs-restrictions |
| |
| # Mount /run as tmpfs read-only. |
| mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| |
| # Bind-mount /run/dbus read-only for D-Bus to work. |
| bind-mount = /run/dbus |
| |
| # Bind-mount /sbin read-only to start sandboxed processes using minijail0. |
| bind-mount = /sbin |
| |
| # Bind-mount /run/shill for DNS resolution. |
| # TODO(259354228): Remove once resolv.conf migration to dns-proxy is done. |
| bind-mount = /run/shill |
| |
| # Bind-mount /run/dns-proxy for DNS resolution. |
| bind-mount = /run/dns-proxy |
| |
| # Run as system-proxy user and group. |
| u = system-proxy |
| g = system-proxy |
| |
| # Inherit system-proxy's supplementary groups, in particular |
| # 'password-viewers' to read the login password. |
| G |
| |
| # Run with root permissions so that the daemon can start sandboxed processes. |
| c = cap_sys_admin=e |
| |
| # -e is not specified because the service needs to connect to servers. |
