| # Copyright 2020 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Daemon for writing disk images to USB sticks & SD cards" |
| author "chromium-os-dev@chromium.org" |
| |
| # This daemon is started by D-Bus service activation configured in |
| # org.chromium.ImageBurner.service. |
| stop on stopping ui |
| |
| pre-start script |
| # Check if ui is still running before starting image-burner |
| # This is to prevent new dbus-activated instances from getting started once |
| # the system is beginning to shut down. |
| if ! initctl status ui | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| script |
| # Start constructing minijail0 args... |
| set -- |
| set -- "$@" -u image-burner -g image-burner |
| |
| # Run with all supplementary groups including disk and |
| # chronos-access. |
| set -- "$@" -G |
| |
| # TODO(lziest): remove CAP_DAC_READ_SEARCH after we fix the directory |
| # permission setting in the recovery utility app. |
| # Capability CAP_DAC_READ_SEARCH is required to workaround the issue that |
| # downloaded image files are stored in a temporary directory only readable |
| # by user 'chronos'. |
| set -- "$@" -c cap_dac_read_search=ep |
| |
| # Enter Chrome mount namespace taking advantage of user session isolation. |
| # Use an env variable so we can clear the value if the corresponding USE flag |
| # is not present. |
| env MNT_NS_ARGS="-V '/run/namespaces/mnt_chrome'" |
| set -- "$@" ${MNT_NS_ARGS} |
| |
| exec minijail0 "$@" -- /usr/sbin/image_burner |
| end script |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u chronos -g chronos /usr/bin/gdbus \ |
| wait --system --timeout 15 org.chromium.ImageBurner |