| # Copyright 2021 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Disk usage daemon for ChromeOS" |
| author "chromium-os-dev@chromium.org" |
| |
| # Start once d-bus is ready. |
| start on started boot-services |
| stop on stopping boot-services |
| |
| # Minijail forks off the desired process. |
| expect fork |
| |
| # If the job respawns 10 times in 10 seconds, stop trying. |
| respawn |
| respawn limit 10 10 |
| |
| # Let the daemon crash if it grows too much. |
| limit as 20000000 unlimited |
| # Allow spaced to be killed and restarted. Consumers of data from spaced |
| # (momentarily) be unable to get correct data. |
| oom score -100 |
| |
| # Used minijail options: |
| # -e: new network namespace. |
| # -i: minijail0 exits right after forking. |
| # --uts: enters new UTS namespace. It makes changes to the host/domain |
| # name not affect the rest of the system. |
| # -N: new cgroup namespace. |
| # -p: enter new pid namespace (implies -vr). |
| # -u: change userid to <user> |
| # -g: change gid to <group> |
| # -G: inherit supplementary groups from new uid. |
| # -c: grant capabilities for lvm2 utils to access dm devices and create |
| # lock files. |
| # -n: set no new privileges (no_new_privs bit). |
| # --seccomp-bpf-binary: use the spaced seccomp policy |
| |
| exec minijail0 \ |
| -e \ |
| -i \ |
| --uts \ |
| -N \ |
| -p \ |
| -u spaced -g spaced \ |
| -G \ |
| -c 'cap_dac_override,cap_fowner,cap_sys_admin+eip' \ |
| --ambient \ |
| -n \ |
| --seccomp-bpf-binary /usr/share/policy/spaced-seccomp.policy.bpf \ |
| -- /usr/sbin/spaced |