| % minijail-config-file v0 |
| |
| # Create and enter new UTS namespace (hostname/NIS domain name). |
| uts |
| |
| # Create and enter new PID namespace. |
| p |
| |
| # Create and enter new IPC namespace. |
| l |
| |
| # Create and enter new network namespace. |
| e |
| |
| # Create and enter new cgroup namespace. |
| N |
| |
| # Set mount namespace to be a slave mount. |
| K = slave |
| |
| # Use the minimal mountns profile to start. |
| profile = minimalistic-mountns |
| |
| # Mount (writeable) and empty /run tmpfs path. |
| mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| |
| # Bind-mount /run/dbus read-only for D-Bus to work. |
| bind-mount = /run/dbus |
| |
| # Bind-mount /run/chromeos-config/v1 for access to chromeos-config. |
| bind-mount = /run/chromeos-config/v1 |
| |
| # Bind-mount the /sys directory as chromeos-config tries to get the product |
| # name, sku and other details from sysfs files. |
| bind-mount = /sys |
| |
| # Mount (writeable) and empty /var tmpfs path. |
| mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| |
| # Mount (writeable) daemon store with MS_BIND|MS_REC options to handle the |
| # case where faced starts after the user's cryptohome is already mounted |
| # (e.g. after a crash). |
| mount = /run/daemon-store/faced,/run/daemon-store/faced,none,MS_BIND|MS_REC |
| |
| # Bind-mount (writeable) /dev/shm to share memory for mojo. |
| bind-mount = /dev/shm,,1 |
| |
| # Bind-mount /sbin read-only to start sandboxed processes using minijail0. |
| bind-mount = /sbin |
| |
| # Run as faced user and group. |
| u = faced |
| g = faced |
| |
| # Inherit supplementary groups from user faced. |
| G |
| |
| # Grant no caps. |
| c = 0 |
