blob: 5b49c40a6a090f781fa601ec71376d7989221b8b [file] [log] [blame]
# Copyright 2021 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Security anomaly detection daemon"
author "chromium-os-dev@chromium.org"
start on starting system-services
stop on stopping system-services
# Let the daemon crash if its memory grows too much.
# "as" is "address space" (VM size).
# We are seeing a VM size of about 12 MiB. Set the limit to ~four times that for
# safety.
# -------------------------------------
# $ cat /proc/$(pidof secanomalyd)/status
# $ pmap $(pidof secanomalyd)
# -------------------------------------
# Syntax is "limit <resource> <limit> <max_settable_limit>".
limit as 50000000 unlimited
# secanomalyd keeps very little state and can recover trivially so allow the OOM
# killer to terminate it.
oom score -100
respawn
# Drop all capabilities (including bounding set), set NoNewPrivs.
# Stay in the init mount namespace to be able to report suspicious mounts in
# that namespace.
exec minijail0 -u secanomaly -g secanomaly -c 0 -n -- /usr/sbin/secanomalyd