diff options
Diffstat (limited to 'sound_card_init/sound_card_init.conf')
-rw-r--r-- | sound_card_init/sound_card_init.conf | 88 |
1 files changed, 47 insertions, 41 deletions
diff --git a/sound_card_init/sound_card_init.conf b/sound_card_init/sound_card_init.conf index 7ab0211e..40bc88f8 100644 --- a/sound_card_init/sound_card_init.conf +++ b/sound_card_init/sound_card_init.conf @@ -31,44 +31,50 @@ pre-start script fi end script -# Here (in order) are a list of the args added: -# --uts: Create and enter new UTS namespace (hostname/NIS domain name). -# -e: doesn't need network access. -# -l: process doesn't use SysV shared memory or IPC. -# -N: doesn't need to modify control groups settings. -# -v: run inside a new VFS namespace. -# -p -r: process doesn't need to access other processes in the system. -# -n: process doesn't need new privileges. -# -P: set /mnt/empty as the root fs. -# -b: bind / -# -k: Get a writeable and empty /run tmpfs path. -# -b: need /run/cras to connect cras. -# -b: /run/systemd/journal: needed for syslog. -# -b: need /dev to send ioctls to the system's block devices. -# -k: empty /sys tmpfs path. -# -b: need /sys/firmware/vpd/ro/ access to read the default calibration value in vpd. -# -k: get a writeable and empty /var tmpfs path. -# -b: need /var/lib/sound_card_init/$SOUND_CARD_ID writable access for datastore update. -# -b: need /var/lib/cras readable -exec minijail0 \ - --uts \ - -e \ - -l \ - -N \ - -v \ - -p -r \ - -n \ - -P /mnt/empty \ - -b / \ - -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ - -b /run/cras \ - -b /run/systemd/journal \ - -b /dev \ - -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ - -b /sys/firmware/vpd/ro/ \ - -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ - -b /var/lib/sound_card_init/"${SOUND_CARD_ID}"/,,1 \ - -b /var/lib/cras/ \ - -u sound_card_init -g sound_card_init -G \ - -S /usr/share/policy/sound_card_init-seccomp.policy \ - /usr/bin/sound_card_init "--id=${SOUND_CARD_ID}" + +script + CONFIG="$(cros_config /audio/main sound-card-init-conf)" + if [ -f /etc/sound_card_init/"${CONFIG}" ]; then + # Here (in order) are a list of the args added: + # --uts: Create and enter new UTS namespace (hostname/NIS domain name). + # -e: doesn't need network access. + # -l: process doesn't use SysV shared memory or IPC. + # -N: doesn't need to modify control groups settings. + # -v: run inside a new VFS namespace. + # -p -r: process doesn't need to access other processes in the system. + # -n: process doesn't need new privileges. + # -P: set /mnt/empty as the root fs. + # -b: bind / + # -k: Get a writeable and empty /run tmpfs path. + # -b: need /run/cras to connect cras. + # -b: need /dev to send ioctls to the system's block devices. + # -k: empty /sys tmpfs path. + # -b: need /sys/firmware/vpd/ro/ access to read the default calibration + # value in vpd. + # -k: get a writeable and empty /var tmpfs path. + # -b: need /var/lib/sound_card_init/$SOUND_CARD_ID writable access for + # datastore update. + # -b: need /var/lib/cras readable + exec minijail0 \ + --uts \ + -e \ + -l \ + -N \ + -v \ + -p -r \ + -n \ + -P /mnt/empty \ + -b / \ + -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ + -b /run/cras \ + -b /dev \ + -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ + -b /sys/firmware/vpd/ro/ \ + -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ + -b /var/lib/sound_card_init/"${SOUND_CARD_ID}"/,,1 \ + -b /var/lib/cras/ \ + -u sound_card_init -g sound_card_init -G \ + -S /usr/share/policy/sound_card_init-seccomp.policy \ + /usr/bin/sound_card_init "--id=${SOUND_CARD_ID}" "--conf=${CONFIG}" + fi +end script
\ No newline at end of file |