dlp/init/dlp.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2021 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Data Leak Prevention daemon"
 author          "chromium-os-dev@chromium.org"

 # The service is started by Chrome on demand.
 stop on stopping ui
 respawn
 respawn limit 3 10

 # Do not respawn if the service is terminated on purpose.
 normal exit 0

 # Sacrifice before OOM panic.
 oom score 0
 # TODO (poromov) Add virtual memory size limit after
 # run-time analysis.

 # Minijail actually forks off the desired process.
 expect fork

 pre-start script
   # Check if ui is still running before starting the daemon.
   # This is to prevent new dbus-activated instances from getting started once
   # the system is beginning to shut down.
   if ! initctl status ui | grep -q running; then
     stop
     exit 0
   fi
 end script

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a cgroup namespace.
   args="${args} -N"

   # Create a UTS namespace to isolate changes to the host / domain name.
   args="${args} --uts"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   # Prevent network connections.
   args="${args} -e"

   #TODO(crbug.com/1184871) Apply seccomp policy.
   #args="${args} -S ..."

   #TODO(crbug.com/1200577) Use user data mount namespace once it's ready.
   #args="${args} -V ..."

   # cap_sys_admin are needed for fanotify_init()
   args="${args} -c cap_sys_admin=e"

   # Run as dlp user and group.
   args="${args} -u dlp -g dlp -G"

   # Execute dlp.
   args="${args} /usr/sbin/dlp"

   exec minijail0 ${args}
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u dlp -g dlp /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.Dlp

 post-stop exec logger -t "${UPSTART_JOB}" "Post-stop dlp"
	# Copyright 2021 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Data Leak Prevention daemon"
	author "chromium-os-dev@chromium.org"

	# The service is started by Chrome on demand.
	stop on stopping ui
	respawn
	respawn limit 3 10

	# Do not respawn if the service is terminated on purpose.
	normal exit 0

	# Sacrifice before OOM panic.
	oom score 0
	# TODO (poromov) Add virtual memory size limit after
	# run-time analysis.

	# Minijail actually forks off the desired process.
	expect fork

	pre-start script
	# Check if ui is still running before starting the daemon.
	# This is to prevent new dbus-activated instances from getting started once
	# the system is beginning to shut down.
	if ! initctl status ui \| grep -q running; then
	stop
	exit 0
	fi
	end script

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a cgroup namespace.
	args="${args} -N"

	# Create a UTS namespace to isolate changes to the host / domain name.
	args="${args} --uts"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	# Prevent network connections.
	args="${args} -e"

	#TODO(crbug.com/1184871) Apply seccomp policy.
	#args="${args} -S ..."

	#TODO(crbug.com/1200577) Use user data mount namespace once it's ready.
	#args="${args} -V ..."

	# cap_sys_admin are needed for fanotify_init()
	args="${args} -c cap_sys_admin=e"

	# Run as dlp user and group.
	args="${args} -u dlp -g dlp -G"

	# Execute dlp.
	args="${args} /usr/sbin/dlp"

	exec minijail0 ${args}
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u dlp -g dlp /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.Dlp

	post-stop exec logger -t "${UPSTART_JOB}" "Post-stop dlp"