diagnostics/init/diagnostics_processor.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description    "Start the diagnostics_processor daemon"
 author         "chromium-os-dev@chromium.org"

 # Start the diagnostics_processor daemon, which is responsible for processing
 # and analyzing telemetry and diagnostics information obtained from
 # diagnosticsd.
 start on starting system-services
 stop on stopping system-services

 respawn
 # If the job respawns 3 times in 10 seconds, stop trying.
 respawn limit 3 10

 expect fork

 pre-start script
   # Create a directory for gRPC socket files - see the comment about the jailing
   # parameters below.
   mkdir -p -m 755 /run/diagnostics/grpc_sockets
   chown -R diagnostics:diagnostics /run/diagnostics/
 end script

 # Used jailing parameters:
 #   -e: new network namespace;
 #   -i: exit after forking;
 #   -l: new IPC namespace;
 #   -n: the no_new_privs bit;
 #   -p: new PID namespace;
 #   -r: remount /proc readonly;
 #   -t: a new tmpfs filesystem for /tmp;
 #   -v: new VFS namespace;
 #   --uts: new UTS/hostname namespace;
 #   -u, -g: user account and group;
 #   --mount-dev: a new /dev mount;
 #   --profile: minimalistic mount namespace;
 #   -k /run: a new tmpfs filesystem for /run, with the subsequent parameters
 #       mounting specific files into this directory;
 #   -b /run/diagnostics/grpc_sockets: shared directory with gRPC socket files,
 #       some of which are owned by diagnostics_processor and some by the
 #       diagnosticsd daemon (note: no other daemon will use this directory);
 #   -S: apply seccomp filters.
 exec minijail0 -e -i -l -n -p -r -t -v --uts \
     -u diagnostics -g diagnostics \
     --mount-dev \
     --profile=minimalistic-mountns \
     -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M' \
     -b /run/diagnostics/grpc_sockets,,1 \
     -S /usr/share/policy/diagnostics_processor-seccomp.policy \
     -- /usr/bin/diagnostics_processor
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the diagnostics_processor daemon"
	author "chromium-os-dev@chromium.org"

	# Start the diagnostics_processor daemon, which is responsible for processing
	# and analyzing telemetry and diagnostics information obtained from
	# diagnosticsd.
	start on starting system-services
	stop on stopping system-services

	respawn
	# If the job respawns 3 times in 10 seconds, stop trying.
	respawn limit 3 10

	expect fork

	pre-start script
	# Create a directory for gRPC socket files - see the comment about the jailing
	# parameters below.
	mkdir -p -m 755 /run/diagnostics/grpc_sockets
	chown -R diagnostics:diagnostics /run/diagnostics/
	end script

	# Used jailing parameters:
	# -e: new network namespace;
	# -i: exit after forking;
	# -l: new IPC namespace;
	# -n: the no_new_privs bit;
	# -p: new PID namespace;
	# -r: remount /proc readonly;
	# -t: a new tmpfs filesystem for /tmp;
	# -v: new VFS namespace;
	# --uts: new UTS/hostname namespace;
	# -u, -g: user account and group;
	# --mount-dev: a new /dev mount;
	# --profile: minimalistic mount namespace;
	# -k /run: a new tmpfs filesystem for /run, with the subsequent parameters
	# mounting specific files into this directory;
	# -b /run/diagnostics/grpc_sockets: shared directory with gRPC socket files,
	# some of which are owned by diagnostics_processor and some by the
	# diagnosticsd daemon (note: no other daemon will use this directory);
	# -S: apply seccomp filters.
	exec minijail0 -e -i -l -n -p -r -t -v --uts \
	-u diagnostics -g diagnostics \
	--mount-dev \
	--profile=minimalistic-mountns \
	-k 'tmpfs,/run,tmpfs,MS_NODEV\|MS_NOSUID\|MS_NOEXEC,mode=755,size=10M' \
	-b /run/diagnostics/grpc_sockets,,1 \
	-S /usr/share/policy/diagnostics_processor-seccomp.policy \
	-- /usr/bin/diagnostics_processor