blob: e0b914931e50bdc5159844033de1cdd132a1ec67 [file] [log] [blame]
# Copyright 2017 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Start camera algorithm service"
author ""
start on started system-services
stop on stopping system-services
expect fork
respawn limit 10 5
env CHROOT_PATH=/run/camera
env SECCOMP_POLICY_FILE=/usr/share/policy/cros-camera-algo.policy
pre-start script
set -x
# Create directory for mounting /dev/urandom in chroot
mkdir -p "${CHROOT_PATH}"/dev
# Create directory for binding camera configs in chroot
mkdir -p "${CHROOT_PATH}"/etc/camera
end script
# Start constructing minijail0 args...
# Enter a new mount, network, PID, IPC and cgroup namespace.
args="$args -v -e -p -l -N"
# Change user and group to arc-camera.
args="$args -u arc-camera -g arc-camera"
# Set -i to fork and daemonize an init-like process that Upstart will track
# as the service.
args="$args -i"
# Chroot and mount /usr, /proc, /dev/urandom, and /run/camera.
args="$args -P ${CHROOT_PATH} -k /usr,/usr,none,0x1000"
args="$args -k /proc,/proc,proc,0xe"
args="$args -k /dev/urandom,/dev/urandom,none,0x1001"
args="$args -b /run/camera,,1"
# Set RLIMIT_NICE(=13) to 40,40
args="$args -R 13,40,40"
# Only mount /etc/camera if it exists.
if [ -d /etc/camera ]; then
args="$args -b /etc/camera,/etc/camera"
# Drop privileges and set seccomp filter.
args="$args -n -S ${SECCOMP_POLICY_FILE}"
args="$args -- /usr/bin/cros_camera_algo"
exec minijail0 $args
end script