| % minijail-config-file v0 |
| |
| # Copyright 2023 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Namespaces: |
| # Enter new IPC namespace. |
| l |
| # Enter new cgroup namespace. |
| N |
| # Enter new pid namespace. |
| p |
| # Enter new UTS/hostname namespace. |
| uts |
| # Set up a minimalistic mount namespace. |
| profile=minimalistic-mountns |
| |
| # Enable seccomp policy. |
| S = /usr/share/policy/flex_hwis-seccomp.policy |
| # Set user and group. |
| u = flex_hwis |
| g = flex_hwis |
| # Inherit supplementary groups of the user, needed for the |
| # policy-readers group to access /var/lib/devicesettings. |
| G |
| |
| # Mounts: |
| # Mount tmpfs at /run and /var. |
| mount = /run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M |
| mount = /var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M |
| # Allow UMA metrics. |
| bind-mount = /var/lib/metrics,,1 |
| # Allow loading device policy. |
| bind-mount = /var/lib/devicesettings,,1 |
| # Allow access to flex_hwis data. |
| bind-mount = /var/lib/flex_hwis_tool,,1 |
| # Allow D-Bus. |
| bind-mount = /run/dbus |
| # Allow checking enrollment. |
| bind-mount = /run/lockbox |
| # Allow mojo. |
| bind-mount = /run/mojo,,1 |
| # Allow DNS resolution. |
| bind-mount = /run/dns-proxy |
| bind-mount = /run/shill |
