| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "USBGuard - a service that handles enforcing USB device policy." |
| author "allenwebb@chromium.org" |
| |
| start on screen-locked and started usbguard-wrapper |
| stop on screen-unlocked or start-user-session |
| |
| respawn |
| respawn limit 15 5 |
| |
| umask 066 |
| |
| expect fork |
| |
| # These flags should be kept in sync with "usbguard generate-policy" in |
| # usbguard-wrapper.conf except the "-i", "-b ...", and "-k ..." flags. |
| # |
| # -u Set the user to usbguard. |
| # -g Set the group to usbguard. |
| # -c Provide CAP_DAC_OVERRIDE for write access without root to /sys/bus/usb |
| # -l Enter a new IPC namespace. |
| # -p Enter a new pid namespace. |
| # -e Enter a new network namespace because usbguard-daemon opens a |
| # unix socket for communication with the usbguard cli client, and |
| # is used for things like "list-devices". |
| # --uts Enter a new UTS namespace. |
| # -n Set no_new_privs. |
| # -i Exit minijail after forking usbguard-daemon. |
| # --profile=minimalistic-mountns Setup a mount namespace with some basic |
| # mountpoints. |
| # -b,-k Bind mount /sys writeable, create. |
| # -S Limit the set of accepted system calls. |
| # |
| # The usbguard-daemon flags are: |
| # -s Log to syslog. |
| exec /sbin/minijail0 -u usbguard -g usbguard -c 2 -l -p -e --uts -n -i \ |
| --profile=minimalistic-mountns \ |
| -b /sys,,1 \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b /run/usbguard \ |
| -S /usr/share/policy/usbguard-daemon-seccomp.policy \ |
| /usr/sbin/usbguard-daemon -s |