| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the cryptohome daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Starts the cryptohome daemon, which handles mounting and |
| # unmounting users' encrypted home directories. Also supports |
| # offline login checks. |
| start on started boot-services and started tcsd and started chapsd |
| stop on stopping boot-services |
| respawn |
| |
| # Where we store the attestation-based enterprise enrollment data. The |
| # daemon will check for this environment variable and read the file at |
| # startup before forking. |
| env ABE_DATA_FILE=/run/cryptohomed.abe_data |
| |
| env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb" |
| env NEW_ATTESTATION_PATH="/mnt/stateful_partition/unencrypted/preserve/attestation.epb" |
| |
| # Set in the ebuild. |
| env DIRENCRYPTION_FLAG="" |
| |
| # If attestation.epb still exists in its old location, move it to the new |
| # location where cryptohome will look for it. |
| pre-start script |
| # Paths under the stateful partition cannot be trusted. Only operate |
| # on them after verifying that they don't contain symlinks pointing |
| # elsewhere. |
| has_symlink() { |
| local path="$1" |
| [ "$(realpath "${path}")" != "${path}" ] |
| } |
| |
| if [ -f "${OLD_ATTESTATION_PATH}" ] && |
| ! has_symlink "${OLD_ATTESTATION_PATH}" && |
| ! has_symlink "${NEW_ATTESTATION_PATH}"; then |
| mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}" |
| fi |
| (vpd -g stable_device_secret_DO_NOT_SHARE || printf '') >$ABE_DATA_FILE |
| end script |
| |
| expect fork |
| exec cryptohomed --noclose ${DIRENCRYPTION_FLAG} |
| |
| post-start exec rm -f $ABE_DATA_FILE |
