typecd/init/typecd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start the Chromium OS USB Type C daemon"
 author        "chromium-os-dev@chromium.org"

 start on started system-services
 stop on stopping system-services
 expect fork
 respawn
 respawn limit 3 10  # if the job respawns 3 times in 10 seconds, stop trying.

 # Typecd *should* be able to recover from crashes (rebuild state when we start),
 # so better to get OOM-killed than cause a memory panic.
 oom score -100

 # Let the daemon crash if it grows too much. "as" is "address space" (vm
 # size). We expect a typical VM size of about 20MB for the daemon (currently)
 # so set a limit for 5x that.
 limit as 100000000 unlimited

 # Here (in order) are a list of the args added:
 # - Exit immediately after fork. The jailed process will run in the background.
 # - Create and enter new UTS namespace (hostname/NIS domain name).
 # - Create and enter new cgroup namespace.
 # - Create and enter new PID namespace.
 # - Use the minimal mountns profile to start.
 # - Get a writeable and empty /run tmpfs path.
 # - Mount D-Bus.
 # - Mount /run/udev so that we can receive udev monitor events.
 # - Get a writeable and empty /sys tmpfs path.
 # - Mount the /sys/class/typec directory required by typecd.
 # - Mount the /sys/devices directory required by typecd.
 # - Run as typecd user and group.
 # - Inherit supplementary groups from from user typecd.
 # - Grant no caps.
 # - No new privileges (no_new_privs).
 # - Use the typecd seccomp policy.
 # - Execute the daemon.
 #
 # NOTE: We don't add "-e" since we want to receive udev events.
 exec minijail0                                                               \
   -i                                                                         \
   --uts                                                                      \
   -N                                                                         \
   -p                                                                         \
   --profile minimalistic-mountns                                             \
   -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M'       \
   -b /run/dbus                                                               \
   -b /run/udev                                                               \
   -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M'       \
   -b /sys/class/typec                                                        \
   -b /sys/devices                                                            \
   -u typecd -g typecd                                                        \
   -G                                                                         \
   -c 0                                                                       \
   -n                                                                         \
   -S /usr/share/policy/typecd-seccomp.policy                                 \
   -- /usr/bin/typecd                                                         \
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the Chromium OS USB Type C daemon"
	author "chromium-os-dev@chromium.org"

	start on started system-services
	stop on stopping system-services
	expect fork
	respawn
	respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying.

	# Typecd should be able to recover from crashes (rebuild state when we start),
	# so better to get OOM-killed than cause a memory panic.
	oom score -100

	# Let the daemon crash if it grows too much. "as" is "address space" (vm
	# size). We expect a typical VM size of about 20MB for the daemon (currently)
	# so set a limit for 5x that.
	limit as 100000000 unlimited

	# Here (in order) are a list of the args added:
	# - Exit immediately after fork. The jailed process will run in the background.
	# - Create and enter new UTS namespace (hostname/NIS domain name).
	# - Create and enter new cgroup namespace.
	# - Create and enter new PID namespace.
	# - Use the minimal mountns profile to start.
	# - Get a writeable and empty /run tmpfs path.
	# - Mount D-Bus.
	# - Mount /run/udev so that we can receive udev monitor events.
	# - Get a writeable and empty /sys tmpfs path.
	# - Mount the /sys/class/typec directory required by typecd.
	# - Mount the /sys/devices directory required by typecd.
	# - Run as typecd user and group.
	# - Inherit supplementary groups from from user typecd.
	# - Grant no caps.
	# - No new privileges (no_new_privs).
	# - Use the typecd seccomp policy.
	# - Execute the daemon.
	#
	# NOTE: We don't add "-e" since we want to receive udev events.
	exec minijail0 \
	-i \
	--uts \
	-N \
	-p \
	--profile minimalistic-mountns \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /run/dbus \
	-b /run/udev \
	-k 'tmpfs,/sys,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /sys/class/typec \
	-b /sys/devices \
	-u typecd -g typecd \
	-G \
	-c 0 \
	-n \
	-S /usr/share/policy/typecd-seccomp.policy \
	-- /usr/bin/typecd \