| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the Chromium OS USB Type C daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| expect fork |
| respawn |
| respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying. |
| |
| # Typecd *should* be able to recover from crashes (rebuild state when we start), |
| # so better to get OOM-killed than cause a memory panic. |
| oom score -100 |
| |
| # Let the daemon crash if it grows too much. "as" is "address space" (vm |
| # size). We expect a typical VM size of about 20MB for the daemon (currently) |
| # so set a limit for 5x that. |
| limit as 100000000 unlimited |
| |
| # Here (in order) are a list of the args added: |
| # - Exit immediately after fork. The jailed process will run in the background. |
| # - Create and enter new UTS namespace (hostname/NIS domain name). |
| # - Create and enter new cgroup namespace. |
| # - Create and enter new PID namespace. |
| # - Use the minimal mountns profile to start. |
| # - Get a writeable and empty /run tmpfs path. |
| # - Mount D-Bus. |
| # - Mount /run/udev so that we can receive udev monitor events. |
| # - Get a writeable and empty /sys tmpfs path. |
| # - Mount the /sys/class/typec directory required by typecd. |
| # - Mount the /sys/devices directory required by typecd. |
| # - Run as typecd user and group. |
| # - Inherit supplementary groups from from user typecd. |
| # - Grant no caps. |
| # - No new privileges (no_new_privs). |
| # - Use the typecd seccomp policy. |
| # - Execute the daemon. |
| # |
| # NOTE: We don't add "-e" since we want to receive udev events. |
| exec minijail0 \ |
| -i \ |
| --uts \ |
| -N \ |
| -p \ |
| --profile minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b /run/udev \ |
| -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /sys/class/typec \ |
| -b /sys/devices \ |
| -u typecd -g typecd \ |
| -G \ |
| -c 0 \ |
| -n \ |
| -S /usr/share/policy/typecd-seccomp.policy \ |
| -- /usr/bin/typecd \ |