| # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the VM concierge service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Start the VM concierge service, which is responsible for managing all the |
| # VMs running in the system. |
| stop on stopping ui |
| respawn |
| expect fork |
| |
| # Give any running VMs enough time to attempt an orderly shutdown. |
| kill timeout 30 |
| |
| pre-start script |
| # Make sure the vsock module is loaded. |
| modprobe -q vhost-vsock |
| |
| # Create the runtime directory. |
| mkdir -p /run/vm |
| chown crosvm:crosvm /run/vm |
| end script |
| |
| # Allow the following capabilities: |
| # |
| # CAP_NET_ADMIN = 0x0001000 for creating tap devices |
| # |
| # /proc is also remounted read-write because crosvm needs to be able to set the |
| # uid_map and gid_map for its child processes and that needs a writable /proc. |
| # |
| # The following mount flags are used below: |
| # MS_BIND = 0x1000 |
| # MS_REC = 0x4000 |
| # |
| # -Kslave is applied to propagate imageloader mounts into concierge's mount |
| # namespace. |
| exec minijail0 -nplrvd -t -i -I --uts \ |
| -u crosvm -g crosvm -G \ |
| -c 0x1000 \ |
| -Kslave \ |
| -P /var/empty \ |
| -b /,/ \ |
| -k proc,/proc,proc,0xe \ |
| -b /sys,/sys \ |
| -b /dev/log,/dev/log,1 \ |
| -b /dev/kvm,/dev/kvm,1 \ |
| -b /dev/net,/dev/net,1 \ |
| -b /dev/vhost-vsock,/dev/vhost-vsock,1 \ |
| -b /dev/dri,/dev/dri,1 \ |
| -k run,/run,tmpfs,0xe \ |
| -b /run/chrome,/run/chrome,1 \ |
| -b /run/dbus,/run/dbus,1 \ |
| -b /run/vm,/run/vm,1 \ |
| -k var,/var,tmpfs,0xe,mode=755,size=32M \ |
| -k empty,/var/empty,tmpfs,0xf,mode=755,size=32M \ |
| -k /run/imageloader,/run/imageloader,none,0x5000 \ |
| -k /home,/home,none,0x5000 \ |
| -- /usr/bin/vm_concierge |
