diagnostics/init/cros_healthd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2019 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description    "Start the cros_healthd daemon"
 author         "chromium-os-dev@chromium.org"

 # Start the cros_healthd daemon, which is responsible for reporting telemetry
 # data and running diagnostics.
 start on starting system-services
 stop on stopping system-services

 respawn
 # If the job respawns 3 times in 10 seconds, stop trying.
 respawn limit 3 10

 expect fork

 pre-start script
   # Prepare directory for diagnostics routine test files.
   mkdir -p /var/cache/diagnostics
   chown cros_healthd:cros_healthd /var/cache/diagnostics
 end script

 # Used jailing parameters:
 #   -e: new network namespace;
 #   -G: inherit supplementary groups;
 #   -i: exit after forking;
 #   -l: new IPC namespace;
 #   -n: the no_new_privs bit;
 #   -p: new PID namespace;
 #   -r: remount /proc readonly;
 #   -t: a new tmpfs filesystem for /tmp;
 #   -v: new VFS namespace;
 #   --uts: new UTS/hostname namespace;
 #   -u, -g: user account and group;
 #   -P: set /mnt/empty as rootfs;
 #   -b: bind /, /proc and /dev. /dev is necessary to send ioctls to the system's
 #       block devices.
 #   -k /run: a new tmpfs filesystem for /run, with the subsequent parameters
 #       mounting specific files into this directory;
 #   -b /run/dbus: shared socket file for talking with the D-Bus daemon;
 #   -b /run/systemd/journal: needed for logging;
 #   -b /run/chromeos-config/v1: needed for access to chromeos-config;
 #   -k /sys: a new tmpfs filesystem for /sys, with the subsequent parameters
 #       mounting specific files into this directory;
 #   -b /sys/class/backlight: files related to the system's backlights;
 #   -b /sys/class/block: files related to the system's block devices;
 #   -b /sys/class/chromeos: files related to Chrome OS hardware devices;
 #   -b /sys/class/power_supply: files related to the system's power supplies;
 #   -b /sys/devices: needed to get the names of the block device dev nodes;
 #   -b /sys/firmware/vpd/ro: files with cached VPD;
 #   -k /var: new tmpfs for var, with the subsequent parameters
 #       mounting specific files into this directory;
 #   -b /var/lib/timezone: symlink for reading the timezone file;
 #   -b /usr/share/zoneinfo: directory holding timezone files;
 #   -b /sys/devices/system/cpu: directory of both global and individual CPU
 #       attributes which used to diagnose the CPU by the stressapptest.
 #   -b /dev/shm: allows creation of shared memory files that are used to set up
 #       mojo::ScopedHandles which can be returned by GetRoutineUpdate.
 #   -b /var/cache/diagnostics: allow test routine to create a test
 #       file under filesystem;
 #   -S: apply seccomp filters.
 script
   # Evaluate which directories are present for binding. Do this without starting
   # subshells to avoid breaking upstart's PID tracking.
   set --
   if [ -e /sys/class/backlight ]; then
     set -- "$@" -b /sys/class/backlight
   fi
   if [ -e /sys/class/chromeos ]; then
     set -- "$@" -b /sys/class/chromeos
   fi
   if [ -e /sys/class/power_supply ]; then
     set -- "$@" -b /sys/class/power_supply
   fi
   if [ -e /sys/firmware/vpd/ro ]; then
     set -- "$@" -b /sys/firmware/vpd/ro
   fi

   exec minijail0 -e -G -i -l -n -p -r -t -v --uts \
     -u cros_healthd -g cros_healthd \
     -P /mnt/empty \
     -b / -b /proc -b /dev \
     -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
     -b /run/dbus -b /run/systemd/journal \
     -b /run/chromeos-config/v1 \
     -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
     -b /sys/class/block -b /sys/devices \
     -b /usr/share/zoneinfo \
     -k 'tmpfs,/var,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
     -b /var/lib/timezone \
     -b /sys/devices/system/cpu \
     -b /dev/shm,,1 \
     "$@" \
     -b /var/cache/diagnostics,,1 \
     -S /usr/share/policy/cros_healthd-seccomp.policy \
     -- /usr/bin/cros_healthd
 end script

 # Wait for daemon to claim its D-Bus name before transitioning to started.
 post-start exec minijail0 -u cros_healthd -g cros_healthd /usr/bin/gdbus \
     wait --system --timeout 15 org.chromium.CrosHealthd
	# Copyright 2019 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the cros_healthd daemon"
	author "chromium-os-dev@chromium.org"

	# Start the cros_healthd daemon, which is responsible for reporting telemetry
	# data and running diagnostics.
	start on starting system-services
	stop on stopping system-services

	respawn
	# If the job respawns 3 times in 10 seconds, stop trying.
	respawn limit 3 10

	expect fork

	pre-start script
	# Prepare directory for diagnostics routine test files.
	mkdir -p /var/cache/diagnostics
	chown cros_healthd:cros_healthd /var/cache/diagnostics
	end script

	# Used jailing parameters:
	# -e: new network namespace;
	# -G: inherit supplementary groups;
	# -i: exit after forking;
	# -l: new IPC namespace;
	# -n: the no_new_privs bit;
	# -p: new PID namespace;
	# -r: remount /proc readonly;
	# -t: a new tmpfs filesystem for /tmp;
	# -v: new VFS namespace;
	# --uts: new UTS/hostname namespace;
	# -u, -g: user account and group;
	# -P: set /mnt/empty as rootfs;
	# -b: bind /, /proc and /dev. /dev is necessary to send ioctls to the system's
	# block devices.
	# -k /run: a new tmpfs filesystem for /run, with the subsequent parameters
	# mounting specific files into this directory;
	# -b /run/dbus: shared socket file for talking with the D-Bus daemon;
	# -b /run/systemd/journal: needed for logging;
	# -b /run/chromeos-config/v1: needed for access to chromeos-config;
	# -k /sys: a new tmpfs filesystem for /sys, with the subsequent parameters
	# mounting specific files into this directory;
	# -b /sys/class/backlight: files related to the system's backlights;
	# -b /sys/class/block: files related to the system's block devices;
	# -b /sys/class/chromeos: files related to Chrome OS hardware devices;
	# -b /sys/class/power_supply: files related to the system's power supplies;
	# -b /sys/devices: needed to get the names of the block device dev nodes;
	# -b /sys/firmware/vpd/ro: files with cached VPD;
	# -k /var: new tmpfs for var, with the subsequent parameters
	# mounting specific files into this directory;
	# -b /var/lib/timezone: symlink for reading the timezone file;
	# -b /usr/share/zoneinfo: directory holding timezone files;
	# -b /sys/devices/system/cpu: directory of both global and individual CPU
	# attributes which used to diagnose the CPU by the stressapptest.
	# -b /dev/shm: allows creation of shared memory files that are used to set up
	# mojo::ScopedHandles which can be returned by GetRoutineUpdate.
	# -b /var/cache/diagnostics: allow test routine to create a test
	# file under filesystem;
	# -S: apply seccomp filters.
	script
	# Evaluate which directories are present for binding. Do this without starting
	# subshells to avoid breaking upstart's PID tracking.
	set --
	if [ -e /sys/class/backlight ]; then
	set -- "$@" -b /sys/class/backlight
	fi
	if [ -e /sys/class/chromeos ]; then
	set -- "$@" -b /sys/class/chromeos
	fi
	if [ -e /sys/class/power_supply ]; then
	set -- "$@" -b /sys/class/power_supply
	fi
	if [ -e /sys/firmware/vpd/ro ]; then
	set -- "$@" -b /sys/firmware/vpd/ro
	fi

	exec minijail0 -e -G -i -l -n -p -r -t -v --uts \
	-u cros_healthd -g cros_healthd \
	-P /mnt/empty \
	-b / -b /proc -b /dev \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /run/dbus -b /run/systemd/journal \
	-b /run/chromeos-config/v1 \
	-k 'tmpfs,/sys,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /sys/class/block -b /sys/devices \
	-b /usr/share/zoneinfo \
	-k 'tmpfs,/var,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /var/lib/timezone \
	-b /sys/devices/system/cpu \
	-b /dev/shm,,1 \
	"$@" \
	-b /var/cache/diagnostics,,1 \
	-S /usr/share/policy/cros_healthd-seccomp.policy \
	-- /usr/bin/cros_healthd
	end script

	# Wait for daemon to claim its D-Bus name before transitioning to started.
	post-start exec minijail0 -u cros_healthd -g cros_healthd /usr/bin/gdbus \
	wait --system --timeout 15 org.chromium.CrosHealthd