Sandbox jabra_vold daemon.

BUG=chromium:370485
TEST=trybot build
CQ-DEPEND=CL:218325

Change-Id: If5446c30159540bebaeeb4bab6f0fb2b495beace
Reviewed-on: https://chromium-review.googlesource.com/218341
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Haixia Shi <hshi@chromium.org>
Commit-Queue: Haixia Shi <hshi@chromium.org>
diff --git a/99-jabra-usbmon.rules b/99-jabra-usbmon.rules
new file mode 100644
index 0000000..54897ab
--- /dev/null
+++ b/99-jabra-usbmon.rules
@@ -0,0 +1,2 @@
+# Make the /dev/usbmon* device only accessible by the volume group.
+SUBSYSTEM=="usbmon", OWNER="root", GROUP="volume", MODE="0660"
diff --git a/99-jabra.rules b/99-jabra.rules
index 151d351..151bc16 100644
--- a/99-jabra.rules
+++ b/99-jabra.rules
@@ -15,8 +15,10 @@
 LABEL="jabra_action"
 
 # start the jabra_vold daemon
-ACTION=="add", RUN+="/usr/sbin/jabra_vold -a start -n $env{DEVNUM} -b $env{BUSNUM}"
+ACTION=="add", RUN+="/bin/mkdir -p /var/run/jabra_vold"
+ACTION=="add", RUN+="/bin/chown volume:volume /var/run/jabra_vold"
+ACTION=="add", RUN+="/sbin/minijail0 -u volume -g volume -G -- /usr/sbin/jabra_vold -a start -n $env{DEVNUM} -b $env{BUSNUM}"
 # stop the daemon
-ACTION=="remove", RUN+="/usr/sbin/jabra_vold -a stop -n $env{DEVNUM} -b $env{BUSNUM}"
+ACTION=="remove", RUN+="/sbin/minijail0 -u volume -g volume -G -- /usr/sbin/jabra_vold -a stop -n $env{DEVNUM} -b $env{BUSNUM}"
 
 LABEL="jabra_end"
diff --git a/jabra.c b/jabra.c
index 515c163..8c78db9 100644
--- a/jabra.c
+++ b/jabra.c
@@ -458,7 +458,7 @@
 	devnum = atoi(devnum_str);
 	if (loglevel_str)
 		loglevel = atoi(loglevel_str);
-	snprintf(pid_filename, sizeof(pid_filename), "/var/run/jabra_vold.%d.%d.pid",
+	snprintf(pid_filename, sizeof(pid_filename), "/var/run/jabra_vold/jabra_vold.%d.%d.pid",
 			busnum, devnum);
 
 	if (strcmp(action_str, "start") == 0) {