| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Daemon to control authorization of external PCI devices" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services and started syslog |
| stop on stopping system-services |
| |
| expect fork |
| respawn |
| respawn limit 3 10 |
| # TODO(b/175884884): figure out what to do if pciguard crashes |
| |
| oom score -200 |
| |
| # minijail0 args: |
| # -i : Exit after fork, minijailed process to run in background |
| # -u -g : Run as specified user |
| # -c 2 : CAP_DAC_OVERRIDE |
| # -l : new IPC namespace |
| # -N : new cgroup namespace. |
| # -p : new PID namespace |
| # --uts : new UTS/hostname namespace |
| # -n : Set the no_new_privs bit |
| # -v : new VFS namespace |
| # ---profile minimalistic-mountns: start with minimal mounts |
| # -b /dev/log : for logging |
| # -k 'tmpfs,/run.. : mount tmpfs on /run to allow for subsequent bind mounts |
| # -b /run/dbus : for communication over dbus |
| # -b /run/udev : for receiving udev events |
| # -k 'tmpfs,/sys.. : mount tmpfs on /sys to allow for subsequent bind mounts |
| # -b /sys/devices : Needed because devices under /sys/bus/pci/devices |
| # are symlinks to here. |
| # -b /sys/bus/pci : to manage the allowlist and the devices |
| # -b /sys/bus/thunderbolt: to auth / deauth thunderbolt devices |
| # -b /usr/lib64 : to link with shared libraries |
| # -b /usr/sbin/pciguard: to access the daemon's binary |
| # -S <policy> : Use the specified seccomp policy |
| |
| exec minijail0 -i -u pciguard -g pciguard -c 2 -l -N -p --uts -n -v \ |
| --profile minimalistic-mountns \ |
| -b /dev/log \ |
| -k 'tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /run/dbus \ |
| -b /run/udev \ |
| -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M' \ |
| -b /sys/devices,,1 \ |
| -b /sys/bus/pci,,1 \ |
| -b /sys/bus/thunderbolt/devices,,1 \ |
| -b /usr/lib64 \ |
| -b /usr/sbin/pciguard \ |
| -S /usr/share/policy/pciguard-seccomp.policy \ |
| /usr/sbin/pciguard |