arc/keymint/init/arc-keymintd.conf - third_party/platform2 - Git at Google

 # Copyright 2023 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Android keymint service in Chrome OS."
 author          "chromium-os-dev@chromium.org"

 # TODO(b/247941366): Conditionally start/stop arc-keymintd, depending on runtime
 # flag value.
 # This daemon is started by D-Bus service activation configured in
 # arc-keymint/dbus-permissions/org.chromium.ArcKeyMint.service.
 stop on stopping ui or stopping arcvm-pre-login-services

 # TODO(b/232556612): Change oom score to -100 when arc-keymint can recover.
 # Service is not system critical, but may not recover if killed.
 oom score -400

 script
   logger -t "${UPSTART_JOB}" "Start arc-keymint"
   set -x

   # Initialize minijail0 arguments.
   args=""

   # Enter new pid namespace (implies -vr).
   # -v: Enter new mount namespace.
   # -r: Remount /proc read-only.
   args="$args -p"
   # Enter a new cgroup namespace.
   args="$args -N"
   # Set no new privileges (no_new_privs).
   args="$args -n"
   # Enter a new UTS, IPC, and network namespace.
   args="$args --uts -l -e"
   # Set seccomp filter file.
   args="$args -S /usr/share/policy/arc-keymintd-seccomp.policy"
   # Set user and group ids.
   args="$args -u arc-keymintd -g arc-keymintd"

   # Mount /, /proc, /tmp, and a small /dev.
   args="$args --profile minimalistic-mountns"
   # Mount /run as a tmpfs so we can add more stuff to it.
   args="$args -k tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M"
   # Mount /run/lock in read-write mode, and /run/dbus in read-only.
   args="$args -b /run/lock,,1"
   args="$args -b /run/dbus"

   # Command to be executed in the minijail.
   args="$args -- /usr/sbin/arc-keymintd"

   logger -t "${UPSTART_JOB}" "Executing: minijail0 ${args}"
   exec minijail0 $args
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start script
   logger -t "${UPSTART_JOB}" "arc-keymint claiming its D-Bus name"

   exec minijail0 -u arc-keymintd -g arc-keymintd /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.ArcKeyMint
 end script

 post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-keymint"
	# Copyright 2023 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Android keymint service in Chrome OS."
	author "chromium-os-dev@chromium.org"

	# TODO(b/247941366): Conditionally start/stop arc-keymintd, depending on runtime
	# flag value.
	# This daemon is started by D-Bus service activation configured in
	# arc-keymint/dbus-permissions/org.chromium.ArcKeyMint.service.
	stop on stopping ui or stopping arcvm-pre-login-services

	# TODO(b/232556612): Change oom score to -100 when arc-keymint can recover.
	# Service is not system critical, but may not recover if killed.
	oom score -400

	script
	logger -t "${UPSTART_JOB}" "Start arc-keymint"
	set -x

	# Initialize minijail0 arguments.
	args=""

	# Enter new pid namespace (implies -vr).
	# -v: Enter new mount namespace.
	# -r: Remount /proc read-only.
	args="$args -p"
	# Enter a new cgroup namespace.
	args="$args -N"
	# Set no new privileges (no_new_privs).
	args="$args -n"
	# Enter a new UTS, IPC, and network namespace.
	args="$args --uts -l -e"
	# Set seccomp filter file.
	args="$args -S /usr/share/policy/arc-keymintd-seccomp.policy"
	# Set user and group ids.
	args="$args -u arc-keymintd -g arc-keymintd"

	# Mount /, /proc, /tmp, and a small /dev.
	args="$args --profile minimalistic-mountns"
	# Mount /run as a tmpfs so we can add more stuff to it.
	args="$args -k tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M"
	# Mount /run/lock in read-write mode, and /run/dbus in read-only.
	args="$args -b /run/lock,,1"
	args="$args -b /run/dbus"

	# Command to be executed in the minijail.
	args="$args -- /usr/sbin/arc-keymintd"

	logger -t "${UPSTART_JOB}" "Executing: minijail0 ${args}"
	exec minijail0 $args
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start script
	logger -t "${UPSTART_JOB}" "arc-keymint claiming its D-Bus name"

	exec minijail0 -u arc-keymintd -g arc-keymintd /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.ArcKeyMint
	end script

	post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-keymint"