| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start Chrome OS iio service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Start when mems_setup has set proper group and ownership. |
| start on started boot-services |
| stop on stopping boot-services |
| expect fork |
| respawn |
| respawn limit 5 30 |
| |
| # Don't respawn too aggressively so kernel has some room to breathe and |
| # initialize sensors. |
| env RESPAWN_DELAY=3 |
| |
| # Make iioservice killable, because if it has a leak it's better to |
| # restart it than to OOM-panic. |
| oom score -100 |
| # Let the daemon crash if it grows too much. "as" is "address space" (vm |
| # size). We expect a typical VM size of about 200MB for the daemon. |
| limit as 200000000 unlimited |
| |
| # Need writable access to /sys/devices and /dev for IIO devices control. |
| # Need access to /sys/bus, /sys/firmware, and /sys/class for IIO devices' |
| # information. |
| # Need access to /run/dbus for DBus communications. |
| # Need (writable) access to /var/lib/metrics to log metrics. |
| # Set RLIMIT_NICE(=13) to 40,40 |
| exec minijail0 -i -u iioservice -g iioservice \ |
| -N --uts -e -p -P /mnt/empty -b / -b /sys \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -n -S /usr/share/policy/iioservice-seccomp.policy \ |
| -b /sys/bus -b /sys/devices,,1 -b /dev,,1 \ |
| -b /sys/firmware -b /sys/class -b /run/dbus \ |
| -k 'tmpfs,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /var/lib/metrics,,1 \ |
| -R 13,40,40 \ |
| -- /usr/sbin/iioservice |
| |