arc/setup/init/arc-prepare-host-generated-dir.conf

# Copyright 2021 The ChromiumOS Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

description    "Set up /run/arc[vm]/host_generated"
author         "chromium-os-dev@chromium.org"

# This task is started by Chrome. No start stanza is needed.

# Use 'never' since terminating this job fails ARC to start.
oom score never

# Make this a task so that 'start arc-prepare-host-generated-dir' will block
# until the script finishes.
task

script
  die() {
    logger -t "${UPSTART_JOB}" "$1"
    exit 1
  }

  if [ -d /run/arc/host_generated ]; then
      ARC_HOST_GENERATED_BIND_ARG="-b /run/arc/host_generated,,1"
  elif [ -d /run/arcvm/host_generated ]; then
      ARC_HOST_GENERATED_BIND_ARG="-b /run/arcvm/host_generated,,1"
  else
      die "host_generated directory is not found"
  fi

  ARCVM_IMAGE_ARGS=""
  if [ -d /opt/google/vms/android ]; then
    ARCVM_IMAGE_ARGS="-b /opt/google/vms/android"
  fi

  # push_to_device may push images to this dir.
  if [ -d /usr/local/vms/android ]; then
    ARCVM_IMAGE_ARGS="${ARCVM_IMAGE_ARGS} \
        -k local,/usr/local,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC \
        -b /usr/local/vms/android"
  fi

  exec /sbin/minijail0 \
      --profile=minimalistic-mountns --uts -e -l -p -N \
      -k 'tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
      -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
      -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
      -k '/run/chromeos-config,/run/chromeos-config,none,MS_BIND|MS_REC' \
      -b /sys \
      -b /run/dbus \
      ${ARCVM_IMAGE_ARGS} \
      ${ARC_HOST_GENERATED_BIND_ARG} \
      -- /usr/sbin/arc-prepare-host-generated-dir \
           --log_tag=arc-prepare-host-generated-dir ||
      die "Failed to execute arc-prepare-host-generated-dir"
end script