| % minijail-config-file v0 |
| |
| # Copyright 2024 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Run as minios user and group. |
| u = minios |
| g = minios |
| G |
| |
| # Run inside a new VFS namespace. |
| ns-mount |
| |
| # Prevent the executable from gaining new privileges. |
| n |
| |
| # minimal mount namespace without /dev because we want real /dev. |
| profile = minimalistic-mountns-nodev |
| |
| mount = tmpfs,/mnt,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| mount = tmpfs,/sys,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC |
| |
| # To store extracted logs. |
| bind-mount = /var/log/minios,,1 |
| |
| # To read stored logs. |
| bind-mount = /mnt/stateful_partition/unencrypted,,1 |
| bind-mount = /dev |
| |
| # For vpd usage. |
| bind-mount = /run/lock,,1 |
| bind-mount = /run/vpd,,1 |
| bind-mount = /sys/firmware |
| |
| # To get details about storage devices. |
| bind-mount = /sys/devices |
| bind-mount = /sys/class |
| |
| # cap_dac_override to write to firmware_utility_lock. |
| # cap_sys_rawio to write to flash device. |
| c = cap_dac_override,cap_sys_rawio=e |
| |
| S = /usr/share/policy/minios-util.policy |
