| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chromium OS device PCA agent service." |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services and started shill and started syslog |
| stop on stopping boot-services |
| |
| oom score -100 |
| |
| respawn |
| |
| expect fork |
| |
| # Uses minijail (drop root, set no_new_privs, set seccomp filter). |
| # Mounts /run/shill for DNS lookup. |
| exec minijail0 -u attestation -g attestation --profile=minimalistic-mountns \ |
| --uts -i -I -l -n -p -v -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /run/dbus -b /run/shill -S /usr/share/policy/pca_agentd-seccomp.policy \ |
| -- /usr/sbin/pca_agentd |