| # Copyright 2019 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the chunneld localhost tunneling service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started vm_concierge |
| stop on stopped vm_concierge |
| respawn |
| |
| # Basic mounts: --profile minimalistic-mountns |
| # Get a writable and empty /run path: -k 'run,/run,tmpfs...' |
| # Mount /run/dbus for dbus socket: -b /run/dbus |
| # Enter cgroup ns: -N |
| # Create new hostname namespace: --uts |
| # Enter pid ns: -p |
| # No new privs: -n |
| # Enter IPC ns: -l |
| # Restrict all caps: -c 0 |
| # Run as chunneld user: -u chunneld |
| # Run as chunneld group: -g chunneld |
| # Use seccomp policy: -S /usr/share/policy/chunneld-seccomp.policy |
| exec minijail0 \ |
| --profile minimalistic-mountns \ |
| -k 'run,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC,mode=755,size=64M' \ |
| -b /run/dbus \ |
| -N --uts -p -n -l -c 0 \ |
| -u chunneld \ |
| -g chunneld \ |
| -S /usr/share/policy/chunneld-seccomp.policy \ |
| -- /usr/bin/chunneld |