blob: 002e8e8182f00a801903e12fc356de2ea5c39e44 [file] [log] [blame]
# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Start the seneschal service"
author "chromium-os-dev@chromium.org"
# Start the seneschal service, which acts as the steward of the user's /home.
start on starting vm_concierge
stop on stopped vm_concierge
respawn
expect fork
pre-start script
# Make sure the necessary kernel modules are loaded.
modprobe -q vhost-vsock
# Create the runtime directory.
mkdir -p /run/seneschal
chown seneschal:seneschal /run/seneschal
end script
# Since we are in an unprivileged user namespace, all bind mounts require the
# MS_REC flag to also be set and bind mounting / recursively defeats the purpose
# of using pivot_root. Instead we use nested jails: one to set up the mounts
# and another to create the user namespace. /proc needs to be mounted read-
# write so that we can set the uid and gid maps.
exec minijail0 -nplrvNiI --uts --profile=minimalistic-mountns \
-b /dev/log,/dev/log,1 \
-k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
-k 'run,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC,mode=755,size=64M' \
-b /run/dbus,/run/dbus,1 \
-b /run/seneschal,/run/seneschal,1 \
-k '/home,/home,none,MS_BIND|MS_REC' \
-k '/media,/media,none,MS_BIND|MS_REC' \
-- /sbin/minijail0 -U -I \
-m"0 20114 1,20115 20115 1,1000 1000 1" \
-M"0 20114 1,20115 20115 1,1000 1000 2" \
-- /usr/bin/seneschal