| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start Chrome OS iio service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Start when mems_setup has set proper group and ownership. |
| start on started boot-services |
| stop on stopping boot-services |
| expect fork |
| respawn |
| respawn limit 5 30 |
| |
| # Don't respawn too aggressively so kernel has some room to breathe and |
| # initialize sensors. |
| env RESPAWN_DELAY=3 |
| |
| # Make iioservice killable, because if it has a leak it's better to |
| # restart it than to OOM-panic. |
| oom score -100 |
| # Let the daemon crash if it grows too much. "as" is "address space" (vm |
| # size). We expect a typical VM size of about 200MB for the daemon. |
| limit as 200000000 unlimited |
| |
| # Need access to original network namespace for udev (no -e), which passes |
| # uevents via netlink socket. |
| # Need writable access to /sys/devices and /dev for IIO devices control. |
| # Need access to /sys/bus/iio/devices, /sys/firmware, and /sys/class for |
| # IIO devices' information. |
| # Need access to /run/systemd/journal for logging. |
| # Need access to /run/dbus for DBus communications. |
| # Set RLIMIT_NICE(=13) to 40,40 |
| exec minijail0 -i -u iioservice -g iioservice \ |
| -N --uts -p -P /mnt/empty \ |
| -n -S /usr/share/policy/iioservice-seccomp.policy \ |
| -b /usr/sbin -b /sys/bus/iio/devices \ |
| -b /sys/devices,,1 -b /dev,,1 \ |
| -b /sys/firmware -b /sys/class -b /run/dbus -b /run/systemd/journal \ |
| -b /run/udev \ |
| -R 13,40,40 \ |
| -- /usr/sbin/iioservice |
| |
