minios/ramfs/etc/init/dns-proxy.conf - third_party/platform2 - Git at Google

 # Copyright 2024 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # TODO(b/202562855): Patch dns-proxy conf instead of forking.
 description     "DNS proxy daemon forked from `dns-proxy/init/dns-proxy.conf`"
 author          "chromeos-core-services@google.com"

 start on starting system-services
 stop on stopping system-services

 respawn
 respawn limit 3 5

 # Do not respawn if the service is terminated on purpose.
 normal exit 0

 # Sacrifice before OOM panic.
 oom score 0

 # Minijail actually forks off the desired process.
 expect fork

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a cgroup namespace.
   args="${args} -N"

   # Create a UTS namespace to isolate changes to the host / domain name.
   args="${args} --uts"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Remount /proc read-only (prevents any messing with it).
   args="${args} -r"

   # Creates new, empty tmp directory (technically, mounts tmpfs).
   args="${args} -t"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   # Apply seccomp policy.
   args="${args} -S /usr/share/policy/dns-proxy-seccomp.policy"

   # Run as dns-proxy user and group.
   args="${args} -u dns-proxy -g dns-proxy"

   # Run with root permissions so that the daemon can start sandboxed processes.
   # Run with CAP_NET_BIND_SERVICE so that it can bind to default DNS port (53).
   args="${args} -c cap_sys_admin,cap_net_bind_service=e"

   # Execute dns-proxy.
   args="${args} /bin/dnsproxyd"

   # -e is not specified because the service needs to connect to servers.

   exec minijail0 ${args}
 end script
	# Copyright 2024 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# TODO(b/202562855): Patch dns-proxy conf instead of forking.
	description "DNS proxy daemon forked from `dns-proxy/init/dns-proxy.conf`"
	author "chromeos-core-services@google.com"

	start on starting system-services
	stop on stopping system-services

	respawn
	respawn limit 3 5

	# Do not respawn if the service is terminated on purpose.
	normal exit 0

	# Sacrifice before OOM panic.
	oom score 0

	# Minijail actually forks off the desired process.
	expect fork

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a cgroup namespace.
	args="${args} -N"

	# Create a UTS namespace to isolate changes to the host / domain name.
	args="${args} --uts"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Remount /proc read-only (prevents any messing with it).
	args="${args} -r"

	# Creates new, empty tmp directory (technically, mounts tmpfs).
	args="${args} -t"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	# Apply seccomp policy.
	args="${args} -S /usr/share/policy/dns-proxy-seccomp.policy"

	# Run as dns-proxy user and group.
	args="${args} -u dns-proxy -g dns-proxy"

	# Run with root permissions so that the daemon can start sandboxed processes.
	# Run with CAP_NET_BIND_SERVICE so that it can bind to default DNS port (53).
	args="${args} -c cap_sys_admin,cap_net_bind_service=e"

	# Execute dns-proxy.
	args="${args} /bin/dnsproxyd"

	# -e is not specified because the service needs to connect to servers.

	exec minijail0 ${args}
	end script