|author||Greg Kerr <email@example.com>||Mon Oct 31 21:10:31 2016|
|committer||chrome-bot <firstname.lastname@example.org>||Thu Nov 03 05:24:46 2016|
Sandboxing the imageloader process into a minijail. This sandboxes the imageloader into a minijail using a non-root user, namespaces, and a seccomp filter. Imageloader runs as a non-priveleged user during component registration, and then as root when mounting components at boot time. BUG=chromium:630421 TEST=run imageloader on x86,amd64, and arm devices Change-Id: Ib5f720fc8b4b10e1a7bd54dba5d0f10b772acee8 Reviewed-on: https://chromium-review.googlesource.com/406507 Commit-Ready: Greg Kerr <email@example.com> Tested-by: Greg Kerr <firstname.lastname@example.org> Reviewed-by: Ricky Zhou <email@example.com> Reviewed-by: Mike Frysinger <firstname.lastname@example.org>
This aims to provide a generic utility to load (mount) and unload (unmount) verified disk images through DBus IPC.
imageloader can be run as root and can handle mounting and unmounting of disk images.
imageloadclient is a simple client (intended to be run as chronos) that can talk to
imageloader and ask it to mount and unmount stuff. When
imageloader is not running, DBus can invoke it via the one time run option (
imageloader -o) and get the task done.