| % minijail-config-file v0 |
| |
| # Used jailing parameters: |
| # -e: enter new network namespace (for process that |
| # doesn't need network access); |
| # -i: minijail0 exits right after forking. |
| # -l: new IPC namespace (isolates IPC resources). |
| # -N: new cgroup namespace. |
| # -n: set no new privileges (no_new_privs bit). |
| # -p: Enter new pid namespace (implies -vr). |
| # -r: remount /proc read-only. |
| # -v: enter new mount namespace. |
| # --profile=minimalistic-mountns: Enables mount and process namespace |
| # which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs). |
| # -u: change userid to <user> |
| # -g: change gid to <group> |
| # -G: inherit supplementary groups from new uid. |
| # --uts: enters new UTS namespace. It makes changes to the host/domain |
| # name not affect the rest of the system. |
| # -k: regular mount (source, target, filesystemtype, mountflags, data) |
| # -b /run/dbus: mount /run/dbus to be able to communicate with D-bus. |
| |
| e |
| i |
| l |
| N |
| n |
| p |
| uts |
| u = ocr_service |
| g = ocr_service |
| G |
| profile = minimalistic-mountns |
| mount = tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M |
| bind-mount = /run/dbus |
