| % minijail-config-file v0 |
| |
| # Copyright 2024 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Fork and daemonize an init-like process that Upstart will track |
| # as the service. |
| i |
| |
| # Change user and group to arc-camera. |
| u = arc-camera |
| g = arc-camera |
| |
| # Inherit supplementary groups for accessing services restricted to it, |
| # for example, perfetto. |
| G |
| |
| # Enter a new network, PID, IPC and cgroup namespace. |
| e |
| p |
| l |
| N |
| |
| # Write PID to /sys/fs/cgroup/cpuset/user_space/media/tasks. |
| f = /sys/fs/cgroup/cpuset/user_space/media/tasks |
| |
| ns-mount |
| P = /mnt/empty |
| bind-mount = / |
| |
| # Read only access to /proc, /sys, /dev to perform USB enumeration. |
| bind-mount = /proc |
| bind-mount = /sys |
| bind-mount = /dev |
| |
| # Create /var and /run in tmpfs to mount necessary subdirectories. |
| mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| mount = /run/imageloader,/run/imageloader,none,MS_BIND|MS_REC|MS_NOSUID|MS_NODEV |
| |
| # Read/Write access to perfetto. |
| bind-mount = /run/perfetto,,1 |
| |
| # Read/Write access to /var/lib/metrics to log metrics. |
| bind-mount = /var/lib/metrics,,1 |
| |
| # Read only access to shared socket file for talking to the Dbind-mount =us daemon. |
| bind-mount = /run/dbus |
| |
| # Read only access to the socket file for the mojo service manager. |
| bind-mount = /run/mojo |
| |
| # Drop privileges. |
| n |
