| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Run the tlsdate daemon to set the system time" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| respawn |
| |
| expect fork |
| |
| # We sync time from Google servers, so use the reduced set of certs that we |
| # have specifically for talking to Google systems. |
| env GOOGLE_CERTS=/usr/share/chromeos-ca-certificates |
| |
| pre-start script |
| mkdir -m 755 -p /var/cache/tlsdated |
| # Make sure the timestamp file has the proper permissions if it exists. |
| chmod 0644 /var/cache/tlsdated/timestamp || true |
| |
| # If shill hasn't finished initializing, its internal state won't yet exist. |
| # Create it here in the same way it does. |
| # TODO: We really should move the target of /etc/resolv.conf to a common |
| # place that is independent of any daemon (such as "shill"). |
| mkdir -p /run/shill || true |
| end script |
| |
| # The various paths we bind mount: |
| # - /dev/log: For syslog. |
| # - /dev/rtc: To check/sync hwclock. |
| # - /run/dbus: To communicate over dbus. |
| # - /run/shill: For access to /etc/resolv.conf settings. |
| # - /var/cache/tlsdated: Our internal state. |
| # |
| # We can't enter a new net namespace since this, by design, uses the network. |
| # |
| # We don't run the main process under seccomp (yet), but tlsdated will run the |
| # tlsdate child through a seccomp filter itself before talking to the network. |
| # |
| # When running tlsdate, tlsdated stitches together an argument vector for it |
| # as follows: it begins with everything supplied to it after the --, then |
| # appends -H $host -p $port, and maybe -x $proxy if it has a proxy to use. |
| script |
| # Not all systems have hardware clocks, so don't fail if they're missing. |
| # tlsdate itself will also automatically skip things if it's missing. |
| RTC_ARG='' |
| if [ -e /dev/rtc ]; then |
| RTC_ARG='-b /dev/rtc' |
| fi |
| |
| exec minijail0 -i \ |
| -p -v -r --uts -l \ |
| --profile minimalistic-mountns -b /dev/log ${RTC_ARG} \ |
| -k '/run,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus,,1 -b /run/shill \ |
| -k '/var,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /var/cache/tlsdated,,1 \ |
| /usr/bin/tlsdated -- /usr/bin/tlsdate -v -C "${GOOGLE_CERTS}" -l |
| end script |