| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the VM container communication service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Starts the service that communicates with containers running inside of VMs. |
| # This sends/receives message into/from the container. |
| start on starting vm_concierge |
| stop on stopped vm_concierge |
| respawn |
| |
| pre-start script |
| # Set the iptables rules to allow the container inside a VM to communicate |
| # back with the host over gRPC. Ports are defined in: |
| # src/platform2/vm_tools/common/constants.h |
| # |
| # Open port for garcon. |
| iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| # Open port for tremplin. |
| iptables -A INPUT -p tcp --dport 7778 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| post-stop script |
| # Close port for garcon. |
| iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| # Close port for tremplin. |
| iptables -D INPUT -p tcp --dport 7778 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| # Launch this process jailed with a new IPC namespace, new PID namespace, |
| # remount /proc, new mount namespace, no new privileges, drop all caps, |
| # launch as user/group vm_cicerone, set up seccomp-bpf. |
| exec minijail0 -l -p -r -v -n -c 0 -u vm_cicerone -g vm_cicerone \ |
| -S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone |