# Copyright 2020 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Chrome OS Federated Computation service"
author ""
# This daemon is started by D-Bus service activation configured in
# federated/dbus/org.chromium.Federated.service.
stop on stopping system-services
# Score -100 for CrOS daemons that can recover.
oom score -100
# Let the process crash if it grows too much. "as" for "address space".
# Currently it uses less than 10MB (by checking /proc/$PID/status), let's make
# the limit to 100MB, and enlarge it when needed.
limit as 100000000 unlimited
expect fork
pre-start script
# Check if system-services is still running before starting federated-service.
# This is to prevent new dbus-activated instances from getting started once
# the system is beginning to shut down.
if ! initctl status system-services | grep -q running; then
exit 0
end script
# --profile=minimalistic-mountns Mount namespace with basic mounts
# includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs)
exec minijail0 -e -i -n -N -v -p -l --uts -c 0 -Kslave \
--profile=minimalistic-mountns \
-k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
-k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
-k '/run/daemon-store/federated,/run/daemon-store/federated,none,MS_BIND|MS_REC' \
-b /run/dbus \
-S /usr/share/policy/federated_service-seccomp.policy \
-u federated-service -g federated-service -- /usr/bin/federated_service
# Wait for daemon to claim its D-Bus name before transitioning to started.
post-start exec minijail0 -u federated-service -g federated-service \
/usr/bin/gdbus wait --system --timeout 15 org.chromium.Federated