1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# Copyright 2020 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Installed by sound_card_init package.
# sound_card_init upstart job.
# sound_card_init is started by /lib/udev/rules.d/99-sound_card_init.rules
description "Chrome OS sound card initializer"
author "chromium-os-dev@chromium.org"
# sound_card_init is a short-running process, but we don't start it as
# a task job, because sound_card_init needs the sound card to be ready in
# CRAS therefore we do not want to block the udev rule processing.
# Make the task killable, because if it has a leak it's better to
# restart it than to OOM-panic.
oom score 0
# SOUND_CARD_ID is provided by /lib/udev/rules.d/99-sound_card_init.rules.
import SOUND_CARD_ID
pre-start script
if ! echo "${SOUND_CARD_ID}" | grep -Eq "^[a-zA-Z0-9]+$"; then
logger -t "${UPSTART_JOB}" \
"Invalid SOUND_CARD_ID supplied"
exit 1
else
mkdir -m 0755 -p /var/lib/sound_card_init/"${SOUND_CARD_ID}"
chown -R sound_card_init:sound_card_init /var/lib/sound_card_init
fi
end script
# Here (in order) are a list of the args added:
# --uts: Create and enter new UTS namespace (hostname/NIS domain name).
# -e: doesn't need network access.
# -l: process doesn't use SysV shared memory or IPC.
# -N: doesn't need to modify control groups settings.
# -v: run inside a new VFS namespace.
# -p -r: process doesn't need to access other processes in the system.
# -n: process doesn't need new privileges.
# -P: set /mnt/empty as the root fs.
# -b: bind /
# -k: Get a writeable and empty /run tmpfs path.
# -b: need /run/cras to connect cras.
# -b: /run/systemd/journal: needed for syslog.
# -b: need /dev to send ioctls to the system's block devices.
# -k: empty /sys tmpfs path.
# -b: need /sys/firmware/vpd/ro/ access to read the default calibration value in vpd.
# -k: get a writeable and empty /var tmpfs path.
# -b: need /var/lib/sound_card_init/$SOUND_CARD_ID writable access for datastore update.
# -b: need /var/lib/cras readable
exec minijail0 \
--uts \
-e \
-l \
-N \
-v \
-p -r \
-n \
-P /mnt/empty \
-b / \
-k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
-b /run/cras \
-b /run/systemd/journal \
-b /dev \
-k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
-b /sys/firmware/vpd/ro/ \
-k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
-b /var/lib/sound_card_init/"${SOUND_CARD_ID}"/,,1 \
-b /var/lib/cras/ \
-u sound_card_init -g sound_card_init -G \
-S /usr/share/policy/sound_card_init-seccomp.policy \
/usr/bin/sound_card_init "--id=${SOUND_CARD_ID}"
|
