| # Copyright 2021 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Security anomaly detection daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| # Let the daemon crash if its memory grows too much. |
| # "as" is "address space" (VM size). |
| # We are seeing a VM size of about 12 MiB. Set the limit to ~four times that for |
| # safety. |
| # ------------------------------------- |
| # $ cat /proc/$(pidof secanomalyd)/status |
| # $ pmap $(pidof secanomalyd) |
| # ------------------------------------- |
| # Syntax is "limit <resource> <limit> <max_settable_limit>". |
| limit as 50000000 unlimited |
| # secanomalyd keeps very little state and can recover trivially so allow the OOM |
| # killer to terminate it. |
| oom score -100 |
| respawn |
| |
| # Inherit supplementary groups to gain membership to the 'crash-access' group. |
| # Set NoNewPrivs. |
| # Drop all capabilities except CAP_SYS_PTRACE to be able to filter processes |
| # by their PID namespace. |
| # Stay in the init mount namespace to be able to report suspicious mounts in |
| # that namespace. |
| exec minijail0 -u secanomaly -g secanomaly -G -n \ |
| -c "cap_sys_ptrace=e" --ambient -- \ |
| /usr/sbin/secanomalyd --generate_reports |