Clean up the minijail0 invocation

This change uses /var/empty as the chroot to match the way we invoke the
rest of the services. It also stops creating/deleting the chroot
directory.

BUG=b:65450844
BUG=chromium:849455
BUG=chromium:861994
TEST=fizz tryjob

Change-Id: I6a76cc92d93bdb8f7edf2990cb0cf219ac20f4ff
Reviewed-on: https://chromium-review.googlesource.com/1087681
Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org>
Tested-by: Luis Hector Chavez <lhchavez@chromium.org>
Reviewed-by: Emil Lundmark <lndmrk@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/init/atrusd.conf b/init/atrusd.conf
index c8570eb..818ebce 100644
--- a/init/atrusd.conf
+++ b/init/atrusd.conf
@@ -10,17 +10,6 @@
 respawn
 respawn limit 3 10  # if the job respawns 3 times in 10 seconds, stop trying.
 
-env chroot=/tmp/atrusd_chroot
-
-pre-start script
-  mkdir -p "$chroot/dev" "$chroot/lib/firmware/google" "$chroot/run/udev" \
-           "$chroot/sys" "$chroot/tmp" "$chroot/usr/sbin" "$chroot/run/dbus"
-end script
-
-post-stop script
-  rm -rf "$chroot"
-end script
-
 expect fork
 
 # -u run as user atrus
@@ -29,21 +18,20 @@
 #    possible to have an udev rule that granted e.g. group atrus rw permissions.
 #    However, there's a rule /lib/udev/rules.d/99-hidraw.rules that would
 #    override this.
-# -i exit minijail0 so upstart isn't blocked
+# -i exit immediately after fork (do not act as init).
 # -l enter new IPC namespace
-# -N enter new cgroup namespace
 # -p enter new pid namespace
 # -n set no_new_privs
 # -w create and join a new anonymous session keyring
 # -P pivot_root(2) into the chroot
 # -t create a new /tmp inside chroot
-# -b directories to mount into chroot
+# -b/-k directories to mount into chroot
 #
 # -e isn't used because atrusd won't receive libudev events when it's used
-exec minijail0 -u atrus -g atrus -c 2 -i -l -N -p -n -w \
-     -P "$chroot" -t -b /dev,/dev -b /sys,/sys -b /usr/sbin,/usr/sbin \
-     -b /lib/firmware/google,/lib/firmware/google -b /run/udev,/run/udev \
-     -b /run/dbus,/run/dbus -- \
-     /usr/sbin/atrusd \
+exec minijail0 -u atrus -g atrus -c 2 -i -l -p -n -w -t \
+     -P /var/empty -b / -b /dev -b /sys \
+     -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
+     -b /run/udev -b /run/dbus \
+     -- /usr/sbin/atrusd \
      --upgrade_file_path=/lib/firmware/google/atrus-fw-bundle-latest.bin \
      --vmodule=diagnostics=1,udev_device_manager=1,atrusd=1