shill/init/shill.sh - third_party/platform2 - Git at Google

 #!/bin/sh
 # Copyright 2018 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 CGROUP_FREEZER_PIDFILE=/sys/fs/cgroup/freezer/system_daemons/cgroup.procs

 # Set logging level and scope if sticky flag exists.
 if [ -f /var/cache/modem-utilities/log_shill_verbose3 ]; then
   # Only set SHILL_LOG_LEVEL if no value was set
   if [ -z "${SHILL_LOG_LEVEL}" ]; then
     SHILL_LOG_LEVEL="-3"
   fi
   APPEND_SCOPES="cellular+modem+device+dbus+manager"
   if [ -z "${SHILL_LOG_SCOPES}" ]; then
     SHILL_LOG_SCOPES="${APPEND_SCOPES}"
   else
     SHILL_LOG_SCOPES="${SHILL_LOG_SCOPES}+${APPEND_SCOPES}"
   fi
 fi
 if [ -z "${SHILL_LOG_LEVEL}" ]; then
   SHILL_LOG_LEVEL=0
 fi
 set -- "$@" --log-level="${SHILL_LOG_LEVEL}" --log-scopes="${SHILL_LOG_SCOPES}"

 if [ -n "${SHILL_LOG_VMODULES}" ]; then
   set -- "$@" --vmodule="${SHILL_LOG_VMODULES}"
 fi

 # Run shill as shill user/group in a minijail:
 #   -f write the PIDs of the process tree to CGROUP_FREEZER_PIDFILE, if it
 #     exists. CGROUP_FREEZER_PIDFILE file exists only if `key_eviction`USE flag
 #     is enabled.
 #   -G so shill programs can inherit supplementary groups.
 #   -n to run shill with no_new_privs.
 #   -B 20 to avoid locking SECURE_KEEP_CAPS flag.
 #   -c for runtime capabilities:
 #     CAP_WAKE_ALARM | CAP_NET_RAW | CAP_NET_ADMIN | CAP_NET_BROADCAST |
 #     CAP_NET_BIND_SERVICE | CAP_SETPCAP | CAP_SETUID | CAP_SETGID | CAP_KILL
 #   --ambient so child processes can inherit runtime capabilities.
 #   -i to lose the dangling minijail0 process.
 if [ -f "${CGROUP_FREEZER_PIDFILE}" ]; then
   # Will add the PIDs in the freezer cgroup.
   exec /sbin/minijail0 -u shill -g shill -f "${CGROUP_FREEZER_PIDFILE}" -G -n \
       -B 20 -c 800003de0 --ambient -i -- /usr/bin/shill "$@"
 else
   exec /sbin/minijail0 -u shill -g shill -G -n -B 20 -c 800003de0 --ambient -i \
        -- /usr/bin/shill "$@"
 fi
	#!/bin/sh
	# Copyright 2018 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	CGROUP_FREEZER_PIDFILE=/sys/fs/cgroup/freezer/system_daemons/cgroup.procs

	# Set logging level and scope if sticky flag exists.
	if [ -f /var/cache/modem-utilities/log_shill_verbose3 ]; then
	# Only set SHILL_LOG_LEVEL if no value was set
	if [ -z "${SHILL_LOG_LEVEL}" ]; then
	SHILL_LOG_LEVEL="-3"
	fi
	APPEND_SCOPES="cellular+modem+device+dbus+manager"
	if [ -z "${SHILL_LOG_SCOPES}" ]; then
	SHILL_LOG_SCOPES="${APPEND_SCOPES}"
	else
	SHILL_LOG_SCOPES="${SHILL_LOG_SCOPES}+${APPEND_SCOPES}"
	fi
	fi
	if [ -z "${SHILL_LOG_LEVEL}" ]; then
	SHILL_LOG_LEVEL=0
	fi
	set -- "$@" --log-level="${SHILL_LOG_LEVEL}" --log-scopes="${SHILL_LOG_SCOPES}"

	if [ -n "${SHILL_LOG_VMODULES}" ]; then
	set -- "$@" --vmodule="${SHILL_LOG_VMODULES}"
	fi

	# Run shill as shill user/group in a minijail:
	# -f write the PIDs of the process tree to CGROUP_FREEZER_PIDFILE, if it
	# exists. CGROUP_FREEZER_PIDFILE file exists only if `key_eviction`USE flag
	# is enabled.
	# -G so shill programs can inherit supplementary groups.
	# -n to run shill with no_new_privs.
	# -B 20 to avoid locking SECURE_KEEP_CAPS flag.
	# -c for runtime capabilities:
	# CAP_WAKE_ALARM \| CAP_NET_RAW \| CAP_NET_ADMIN \| CAP_NET_BROADCAST \|
	# CAP_NET_BIND_SERVICE \| CAP_SETPCAP \| CAP_SETUID \| CAP_SETGID \| CAP_KILL
	# --ambient so child processes can inherit runtime capabilities.
	# -i to lose the dangling minijail0 process.
	if [ -f "${CGROUP_FREEZER_PIDFILE}" ]; then
	# Will add the PIDs in the freezer cgroup.
	exec /sbin/minijail0 -u shill -g shill -f "${CGROUP_FREEZER_PIDFILE}" -G -n \
	-B 20 -c 800003de0 --ambient -i -- /usr/bin/shill "$@"
	else
	exec /sbin/minijail0 -u shill -g shill -G -n -B 20 -c 800003de0 --ambient -i \
	-- /usr/bin/shill "$@"
	fi