hps/minijail/hpsd.conf - third_party/platform2 - Git at Google

 % minijail-config-file v0

 # Minijail settings:
 # -i exit immediately after fork
 # -u run as user hpsd
 # -g run as group hpsd
 # -n set no_new_privs
 # -R RLIMIT_NICE,40,40 to allow niceness of -20
 # -T static to apply the sandbox policy before exec, so that cros_hpsd doesn't
 #    need any additional SELinux privileges for doing the same
 # --profile=minimalistic-mountns-nodev to set up a mostly empty pivot root
 #
 # Namespaces:
 # -N enter new cgroup namespace
 # --uts enter new UTS/hostname namespace
 # -e enter new network namespace
 # -p enter new pid namespace
 #
 # Mounts:
 # -k to mount tmpfs at /run and /var (writable)
 # -b /var/lib/metrics (writable) to enable UMA
 # -b /var/lib/hpsd (writable) for UMA cumulative metrics
 #
 # For I2C:
 # -b /dev (writable)
 # -b /sys
 # -b /sys/bus
 # -b /sys/class
 # -b /sys/devices (writable)
 #
 # For DBUS:
 # -b /run/dbus

 i
 u = hpsd
 g = hpsd
 n
 R = RLIMIT_NICE,40,40
 T = static
 profile = minimalistic-mountns-nodev
 N
 uts
 e
 p
 mount = tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 mount = tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC
 bind-mount = /var/lib/metrics,,1
 bind-mount = /var/lib/hpsd,,1
 bind-mount = /dev,,1
 bind-mount = /sys
 bind-mount = /sys/bus
 bind-mount = /sys/class
 bind-mount = /sys/devices,,1
 bind-mount = /run/dbus
	% minijail-config-file v0

	# Minijail settings:
	# -i exit immediately after fork
	# -u run as user hpsd
	# -g run as group hpsd
	# -n set no_new_privs
	# -R RLIMIT_NICE,40,40 to allow niceness of -20
	# -T static to apply the sandbox policy before exec, so that cros_hpsd doesn't
	# need any additional SELinux privileges for doing the same
	# --profile=minimalistic-mountns-nodev to set up a mostly empty pivot root
	#
	# Namespaces:
	# -N enter new cgroup namespace
	# --uts enter new UTS/hostname namespace
	# -e enter new network namespace
	# -p enter new pid namespace
	#
	# Mounts:
	# -k to mount tmpfs at /run and /var (writable)
	# -b /var/lib/metrics (writable) to enable UMA
	# -b /var/lib/hpsd (writable) for UMA cumulative metrics
	#
	# For I2C:
	# -b /dev (writable)
	# -b /sys
	# -b /sys/bus
	# -b /sys/class
	# -b /sys/devices (writable)
	#
	# For DBUS:
	# -b /run/dbus

	i
	u = hpsd
	g = hpsd
	n
	R = RLIMIT_NICE,40,40
	T = static
	profile = minimalistic-mountns-nodev
	N
	uts
	e
	p
	mount = tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	mount = tmpfs,/var,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC
	bind-mount = /var/lib/metrics,,1
	bind-mount = /var/lib/hpsd,,1
	bind-mount = /dev,,1
	bind-mount = /sys
	bind-mount = /sys/bus
	bind-mount = /sys/class
	bind-mount = /sys/devices,,1
	bind-mount = /run/dbus