| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chrome OS Federated Computation service" |
| author "chromium-os-dev@chromium.org" |
| |
| # This daemon is started by D-Bus service activation configured in |
| # federated/dbus/org.chromium.Federated.service. |
| stop on stopping system-services |
| |
| # Score -100 for CrOS daemons that can recover. |
| oom score -100 |
| |
| # Let the process crash if it grows too much. "as" for "address space". |
| # Currently it uses less than 10MB (by checking /proc/$PID/status), let's make |
| # the limit to 100MB, and enlarge it when needed. |
| limit as 100000000 unlimited |
| |
| expect fork |
| |
| pre-start script |
| # Check if system-services is still running before starting federated-service. |
| # This is to prevent new dbus-activated instances from getting started once |
| # the system is beginning to shut down. |
| if ! initctl status system-services | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # --profile=minimalistic-mountns Mount namespace with basic mounts |
| # includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs) |
| exec minijail0 -e -i -n -N -v -p -l --uts -c 0 -Kslave \ |
| --profile=minimalistic-mountns \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k '/run/daemon-store/federated,/run/daemon-store/federated,none,MS_BIND|MS_REC' \ |
| -k '/run/imageloader,/run/imageloader,none,MS_BIND|MS_REC' \ |
| -b /run/dbus \ |
| -S /usr/share/policy/federated_service-seccomp.policy \ |
| -u federated-service -g federated-service -- /usr/bin/federated_service |
| |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| post-start exec minijail0 -u federated-service -g federated-service \ |
| /usr/bin/gdbus wait --system --timeout 15 org.chromium.Federated |