authpolicy/etc/init/authpolicyd.conf - chromiumos/platform2 - Git at Google

 # Copyright 2016 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Authpolicy daemon"
 author          "chromium-os-dev@chromium.org"

 # The service is started by Chrome via UpstartClient::StartAuthPolicyService().
 stop on stopping ui
 respawn

 pre-start script
   # Create a folder on encstateful where machine_pass and config.dat are stored.
   # All other files are written to /tmp which is created fresh for each
   # authpolicyd invocation. (see -t option).
   # On older installations (domain join before authpolicy wrote the password
   # file), the group x access is required by the authpolicyd-exec user to access
   # the machine keytab file.
   AUTHPOLICY_LIB_DIR=/var/lib/authpolicyd
   mkdir -m 0710 -p "${AUTHPOLICY_LIB_DIR}"
   chown -R authpolicyd:authpolicyd "${AUTHPOLICY_LIB_DIR}"

   # Create a folder in /run where the flags default level is stored. Files in
   # /run are wiped on reboot, so that logging is reset on reboot and not
   # permanently persisted for privacy and security reasons.
   AUTHPOLICY_RUN_DIR=/run/authpolicyd
   mkdir -m 0700 -p "${AUTHPOLICY_RUN_DIR}"
   chown -R authpolicyd:authpolicyd "${AUTHPOLICY_RUN_DIR}"
 end script

 # Minijail actually forks off the desired process.
 expect fork

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a PID namespace (process won't see any other processes).
   args="${args} -p"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Remount /proc read-only (prevents any messing with it).
   args="${args} -r"

   # Enter new mount namespace, allows to change mounts inside jail.
   args="${args} -v"

   # Creates new, empty tmp directory (technically, mounts tmpfs).
   args="${args} -t"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   # Set the CAP_SETPCAP and CAP_SETUID capabilities to set authpolicyd-exec as
   # saved UID and drops caps. This allows authpolicyd to switch to the
   # authpolicyd-exec user when running Samba code or parsing data. Note that
   # all caps are dropped right after startup.
   args="${args} -c 180"

   # Create a pivot_root at the target folder.
   args="${args} -P /tmp/authpolicyd_chroot"

   # Make sure mounts are remounted as slave mounts, so that the user's
   # cryptohome can propagate into the jail. Note that
   # /run/daemon-store/authpolicyd is a shared mount.
   args="${args} -Kslave"

   # Bind-mount / read-only.
   args="${args} -b /"

   # Bind-mount /dev read-only for Samba to work.
   args="${args} -b /dev"

   # Bind-mount /run read-only for Samba and D-Bus to work.
   args="${args} -b /run"

   # Bind-mount /run/authpolicyd read-write to store debug flags and auth data.
   args="${args} -b /run/authpolicyd,,1"

   # Bind-mount /run/daemon-store/authpolicyd read-write to back up auth state.
   # Mount events for the user's cryptohome will propagate into our mount
   # namespace. See
   # https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md#securely-mounting-cryptohome-daemon-store-folders
   # for more details. In case authpolicyd starts up when the user's cryptohome
   # is already mounted (e.g. after a crash), the 0x5000 option (MS_REC|MS_BIND)
   # makes sure the daemon store is visible inside the namespace as well.
   args="${args} -k /run/daemon-store/authpolicyd,/run/daemon-store/authpolicyd,none,0x5000"

   # Bind-mount /sys read-only for Samba to work.
   args="${args} -b /sys"

   # Bind-mount /var read-only for Samba to work.
   args="${args} -b /var"

   # Bind-mount /var/lib/authpolicyd read-write to store daemon state.
   args="${args} -b /var/lib/authpolicyd,,1"

   # Bind-mount /var/lib/metrics,/var/lib/metrics read-write to store UMA
   # metrics.
   args="${args} -b /var/lib/metrics,,1"

   # Run as authpolicyd user and group.
   args="${args} -u authpolicyd -g authpolicyd"

   # Inherit authpolicyd's supplementary groups, in particular 'policy-readers'
   # to read device policy.
   args="${args} -G"

   # Execute authpolicyd.
   args="${args} /usr/sbin/authpolicyd"

   # -e is not specified because the service needs to connect to an AD server to
   # join a domain, authenticate users and fetch user and device policies.

   exec minijail0 ${args}
 end script

 # TO TEST:
 # - Run without exec
 # - Remove -t (so test code can read files form there), and add -b /tmp,/tmp,1

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u authpolicyd -g authpolicyd /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.AuthPolicy
	# Copyright 2016 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Authpolicy daemon"
	author "chromium-os-dev@chromium.org"

	# The service is started by Chrome via UpstartClient::StartAuthPolicyService().
	stop on stopping ui
	respawn

	pre-start script
	# Create a folder on encstateful where machine_pass and config.dat are stored.
	# All other files are written to /tmp which is created fresh for each
	# authpolicyd invocation. (see -t option).
	# On older installations (domain join before authpolicy wrote the password
	# file), the group x access is required by the authpolicyd-exec user to access
	# the machine keytab file.
	AUTHPOLICY_LIB_DIR=/var/lib/authpolicyd
	mkdir -m 0710 -p "${AUTHPOLICY_LIB_DIR}"
	chown -R authpolicyd:authpolicyd "${AUTHPOLICY_LIB_DIR}"

	# Create a folder in /run where the flags default level is stored. Files in
	# /run are wiped on reboot, so that logging is reset on reboot and not
	# permanently persisted for privacy and security reasons.
	AUTHPOLICY_RUN_DIR=/run/authpolicyd
	mkdir -m 0700 -p "${AUTHPOLICY_RUN_DIR}"
	chown -R authpolicyd:authpolicyd "${AUTHPOLICY_RUN_DIR}"
	end script

	# Minijail actually forks off the desired process.
	expect fork

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a PID namespace (process won't see any other processes).
	args="${args} -p"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Remount /proc read-only (prevents any messing with it).
	args="${args} -r"

	# Enter new mount namespace, allows to change mounts inside jail.
	args="${args} -v"

	# Creates new, empty tmp directory (technically, mounts tmpfs).
	args="${args} -t"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	# Set the CAP_SETPCAP and CAP_SETUID capabilities to set authpolicyd-exec as
	# saved UID and drops caps. This allows authpolicyd to switch to the
	# authpolicyd-exec user when running Samba code or parsing data. Note that
	# all caps are dropped right after startup.
	args="${args} -c 180"

	# Create a pivot_root at the target folder.
	args="${args} -P /tmp/authpolicyd_chroot"

	# Make sure mounts are remounted as slave mounts, so that the user's
	# cryptohome can propagate into the jail. Note that
	# /run/daemon-store/authpolicyd is a shared mount.
	args="${args} -Kslave"

	# Bind-mount / read-only.
	args="${args} -b /"

	# Bind-mount /dev read-only for Samba to work.
	args="${args} -b /dev"

	# Bind-mount /run read-only for Samba and D-Bus to work.
	args="${args} -b /run"

	# Bind-mount /run/authpolicyd read-write to store debug flags and auth data.
	args="${args} -b /run/authpolicyd,,1"

	# Bind-mount /run/daemon-store/authpolicyd read-write to back up auth state.
	# Mount events for the user's cryptohome will propagate into our mount
	# namespace. See
	# https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md#securely-mounting-cryptohome-daemon-store-folders
	# for more details. In case authpolicyd starts up when the user's cryptohome
	# is already mounted (e.g. after a crash), the 0x5000 option (MS_REC\|MS_BIND)
	# makes sure the daemon store is visible inside the namespace as well.
	args="${args} -k /run/daemon-store/authpolicyd,/run/daemon-store/authpolicyd,none,0x5000"

	# Bind-mount /sys read-only for Samba to work.
	args="${args} -b /sys"

	# Bind-mount /var read-only for Samba to work.
	args="${args} -b /var"

	# Bind-mount /var/lib/authpolicyd read-write to store daemon state.
	args="${args} -b /var/lib/authpolicyd,,1"

	# Bind-mount /var/lib/metrics,/var/lib/metrics read-write to store UMA
	# metrics.
	args="${args} -b /var/lib/metrics,,1"

	# Run as authpolicyd user and group.
	args="${args} -u authpolicyd -g authpolicyd"

	# Inherit authpolicyd's supplementary groups, in particular 'policy-readers'
	# to read device policy.
	args="${args} -G"

	# Execute authpolicyd.
	args="${args} /usr/sbin/authpolicyd"

	# -e is not specified because the service needs to connect to an AD server to
	# join a domain, authenticate users and fetch user and device policies.

	exec minijail0 ${args}
	end script

	# TO TEST:
	# - Run without exec
	# - Remove -t (so test code can read files form there), and add -b /tmp,/tmp,1

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u authpolicyd -g authpolicyd /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.AuthPolicy