system-proxy/init/system-proxy.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "System-proxy daemon"
 author          "chromium-os-dev@chromium.org"

 # The service is started by Chrome on demand.
 stop on stopping ui
 respawn

 # Sacrifice before OOM panic.
 oom score 0
 # TODO (acostinas, crbug.com/1045862) Add virtual memory size limit after
 # run-time analysis.

 # Minijail actually forks off the desired process.
 expect fork

 script
   # Start constructing minijail0 args...
   args=""

   # Make sure minijail0 exits right away and won't block upstart.
   args="${args} -i"

   # Create a UTS namespace to isolate changes to the host / domain name.
   args="${args} --uts"

   # Create a PID namespace (process won't see any other processes).
   args="${args} -p"

   # Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
   args="${args} -l"

   # Remount /proc read-only (prevents any messing with it).
   args="${args} -r"

   # Creates new, empty tmp directory (technically, mounts tmpfs).
   args="${args} -t"

   # Prevent that execve gains privileges, required for seccomp filters.
   args="${args} -n"

   #TODO Apply seccomp policy.
   #args="${args} -S ..."

   # Use a minimalistic mount namespace.
   args="${args} --profile minimalistic-mountns"

   # Mount /run as tmpfs read-only.
   args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC"

   # Bind-mount /run/dbus read-only for D-Bus to work.
   args="${args} -b /run/dbus"

   # Run as system-proxy user and group.
   args="${args} -u system-proxy -g system-proxy"


   # Execute system-proxy.
   args="${args} /usr/sbin/system_proxy"

   # -e is not specified because the service needs to connect to servers.

   exec minijail0 ${args}
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u system-proxy -g sistem-proxy /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.SystemProxy
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "System-proxy daemon"
	author "chromium-os-dev@chromium.org"

	# The service is started by Chrome on demand.
	stop on stopping ui
	respawn

	# Sacrifice before OOM panic.
	oom score 0
	# TODO (acostinas, crbug.com/1045862) Add virtual memory size limit after
	# run-time analysis.

	# Minijail actually forks off the desired process.
	expect fork

	script
	# Start constructing minijail0 args...
	args=""

	# Make sure minijail0 exits right away and won't block upstart.
	args="${args} -i"

	# Create a UTS namespace to isolate changes to the host / domain name.
	args="${args} --uts"

	# Create a PID namespace (process won't see any other processes).
	args="${args} -p"

	# Create an IPC namespace (isolate System V IPC objects/POSIX message queues).
	args="${args} -l"

	# Remount /proc read-only (prevents any messing with it).
	args="${args} -r"

	# Creates new, empty tmp directory (technically, mounts tmpfs).
	args="${args} -t"

	# Prevent that execve gains privileges, required for seccomp filters.
	args="${args} -n"

	#TODO Apply seccomp policy.
	#args="${args} -S ..."

	# Use a minimalistic mount namespace.
	args="${args} --profile minimalistic-mountns"

	# Mount /run as tmpfs read-only.
	args="${args} -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC"

	# Bind-mount /run/dbus read-only for D-Bus to work.
	args="${args} -b /run/dbus"

	# Run as system-proxy user and group.
	args="${args} -u system-proxy -g system-proxy"


	# Execute system-proxy.
	args="${args} /usr/sbin/system_proxy"

	# -e is not specified because the service needs to connect to servers.

	exec minijail0 ${args}
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u system-proxy -g sistem-proxy /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.SystemProxy