| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Daemon to control authorization of external PCI devices" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services and started syslog |
| stop on stopping system-services |
| |
| expect fork |
| respawn |
| respawn limit 3 10 |
| # TODO(b/175884884): figure out what to do if pciguard crashes |
| |
| oom score -200 |
| |
| # minijail0 args: |
| # -u -g : Run as specified user |
| # -c 2 : CAP_DAC_OVERRIDE |
| # -l : new IPC namespace |
| # -p : new PID namespace |
| # --uts : new UTS/hostname namespace |
| # -n : Set the no_new_privs bit |
| # -v : new VFS namespace |
| # -P /mnt/empty : Start with an empty mount |
| # -b /dev/log : for logging |
| # -b /run/dbus : for communication over dbus |
| # -b /run/udev : for receiving udev events |
| # -b /sys/devices/pci0000:00: Needed because devices under /sys/bus/pci/devices |
| # are symlinks to here. |
| # -b /sys/bus/pci : to manage the allowlist and the devices |
| # -b /sys/bus/thunderbolt: to auth / deauth thunderbolt devices |
| # -b /usr/lib64 : to link with shared libraries |
| # -b /usr/sbin/pciguard: to access the daemon's binary |
| # -S <policy> : Use the specified seccomp policy |
| |
| script |
| |
| minijail0 -u pciguard -g pciguard -c 2 -l -p --uts -n -v \ |
| -P /mnt/empty \ |
| -b /dev/log \ |
| -b /run/dbus \ |
| -b /run/udev \ |
| -b /sys/devices/pci0000:00,,1 \ |
| -b /sys/bus/pci,,1 \ |
| -b /sys/bus/thunderbolt/devices,,1 \ |
| -b /usr/lib64 \ |
| -b /usr/sbin/pciguard \ |
| -S /usr/share/policy/pciguard-seccomp.policy \ |
| /usr/sbin/pciguard |
| |
| end script |
