pciguard/init/pciguard.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description "Daemon to control authorization of external PCI devices"
 author      "chromium-os-dev@chromium.org"

 start on started boot-services and started syslog
 stop on stopping system-services

 expect fork
 respawn
 respawn limit 3 10
 # TODO(b/175884884): figure out what to do if pciguard crashes

 oom score -200

 # minijail0 args:
 #  -i               : Exit after fork, minijailed process to run in background
 #  -u -g            : Run as specified user
 #  -c 2             : CAP_DAC_OVERRIDE
 #  -l               : new IPC namespace
 #  -p               : new PID namespace
 #  --uts            : new UTS/hostname namespace
 #  -n               : Set the no_new_privs bit
 #  -v               : new VFS namespace
 #  ---profile minimalistic-mountns: start with minimal mounts
 #  -b /dev/log      : for logging
 #  -k 'tmpfs,/run.. : mount tmpfs on /run to allow for subsequent bind mounts
 #  -b /run/dbus     : for communication over dbus
 #  -b /run/udev     : for receiving udev events
 #  -k 'tmpfs,/sys.. : mount tmpfs on /sys to allow for subsequent bind mounts
 #  -b /sys/devices  : Needed because devices under /sys/bus/pci/devices
 #                     are symlinks to here.
 #  -b /sys/bus/pci  : to manage the allowlist and the devices
 #  -b /sys/bus/thunderbolt: to auth / deauth thunderbolt devices
 #  -b /usr/lib64    : to link with shared libraries
 #  -b /usr/sbin/pciguard: to access the daemon's binary
 #  -S <policy>      : Use the specified seccomp policy

 exec minijail0 -i -u pciguard -g pciguard -c 2 -l -p --uts -n -v \
     --profile minimalistic-mountns \
     -b /dev/log \
     -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /run/dbus \
     -b /run/udev \
     -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \
     -b /sys/devices,,1 \
     -b /sys/bus/pci,,1 \
     -b /sys/bus/thunderbolt/devices,,1 \
     -b /usr/lib64 \
     -b /usr/sbin/pciguard \
     -S /usr/share/policy/pciguard-seccomp.policy \
     /usr/sbin/pciguard
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Daemon to control authorization of external PCI devices"
	author "chromium-os-dev@chromium.org"

	start on started boot-services and started syslog
	stop on stopping system-services

	expect fork
	respawn
	respawn limit 3 10
	# TODO(b/175884884): figure out what to do if pciguard crashes

	oom score -200

	# minijail0 args:
	# -i : Exit after fork, minijailed process to run in background
	# -u -g : Run as specified user
	# -c 2 : CAP_DAC_OVERRIDE
	# -l : new IPC namespace
	# -p : new PID namespace
	# --uts : new UTS/hostname namespace
	# -n : Set the no_new_privs bit
	# -v : new VFS namespace
	# ---profile minimalistic-mountns: start with minimal mounts
	# -b /dev/log : for logging
	# -k 'tmpfs,/run.. : mount tmpfs on /run to allow for subsequent bind mounts
	# -b /run/dbus : for communication over dbus
	# -b /run/udev : for receiving udev events
	# -k 'tmpfs,/sys.. : mount tmpfs on /sys to allow for subsequent bind mounts
	# -b /sys/devices : Needed because devices under /sys/bus/pci/devices
	# are symlinks to here.
	# -b /sys/bus/pci : to manage the allowlist and the devices
	# -b /sys/bus/thunderbolt: to auth / deauth thunderbolt devices
	# -b /usr/lib64 : to link with shared libraries
	# -b /usr/sbin/pciguard: to access the daemon's binary
	# -S <policy> : Use the specified seccomp policy

	exec minijail0 -i -u pciguard -g pciguard -c 2 -l -p --uts -n -v \
	--profile minimalistic-mountns \
	-b /dev/log \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /run/dbus \
	-b /run/udev \
	-k 'tmpfs,/sys,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /sys/devices,,1 \
	-b /sys/bus/pci,,1 \
	-b /sys/bus/thunderbolt/devices,,1 \
	-b /usr/lib64 \
	-b /usr/sbin/pciguard \
	-S /usr/share/policy/pciguard-seccomp.policy \
	/usr/sbin/pciguard