| # Copyright 2022 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chromium OS device service." |
| author "chromium-os-dev@chromium.org" |
| |
| # Until it is stable, this daemon is controlled by admin only. |
| # TODO(b/227341806): set proper start and stop criteria. |
| |
| oom score -100 |
| |
| respawn |
| |
| expect fork |
| |
| # Uses minijail (drop root, set no_new_privs, set seccomp filter). |
| exec minijail0 -u vtpm -g vtpm --profile=minimalistic-mountns \ |
| --uts -i -I -l -n -N -p -v \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /run/dbus \ |
| -k '/var,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /var/lib/vtpm,,1 \ |
| -S /usr/share/policy/vtpmd-seccomp.policy \ |
| -- /usr/sbin/vtpmd |