| # Copyright 2021 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Security anomaly detection daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| # Let the daemon crash if its memory grows too much. |
| # "as" is "address space" (VM size). |
| # We are seeing a VM size of about 12 MiB. Set the limit to ~four times that for |
| # safety. |
| # ------------------------------------- |
| # $ cat /proc/$(pidof secanomalyd)/status |
| # $ pmap $(pidof secanomalyd) |
| # ------------------------------------- |
| # Syntax is "limit <resource> <limit> <max_settable_limit>". |
| limit as 50000000 unlimited |
| # secanomalyd keeps very little state and can recover trivially so allow the OOM |
| # killer to terminate it. |
| oom score -100 |
| respawn |
| |
| # Drop all capabilities (including bounding set), set NoNewPrivs. |
| # Stay in the init mount namespace to be able to report suspicious mounts in |
| # that namespace. |
| exec minijail0 -u secanomaly -g secanomaly -c 0 -n -- /usr/sbin/secanomalyd |