| # Copyright 2022 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Security event reporting daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Minimum log level defined in base/logging.h. |
| # 0:INFO, 1:WARNING, 2:ERROR, 3:ERROR_REPORT, 4:FATAL |
| # -1:VLOG(1), -2:VLOG(2), etc |
| # Set to log only INFO or above by default. |
| env LOG_LEVEL=0 |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| # secagentd keeps very little state and can easily recover so allow the OOM |
| # killer to terminate it. |
| oom score -100 |
| respawn |
| |
| # -u: Run as user secagentd. |
| # -g: Run as group secagentd. |
| # -n: Prevents that execve gains privileges. |
| # -c: Capabilties listed are needed for bpf functionality. |
| # cap_dac_read_search: Overrides DAC restrictions for reading files. |
| # cap_sys_resource: Needed for overriding memory limits. |
| # cap_perfmon: Needed for additional bpf operations (tracing). |
| # cap_bpf: Allows use of bpf operations. |
| # cap_sys_ptrace: Allows for using ptrace on processes. |
| |
| exec minijail0 -u secagentd -g secagentd -n -c \ |
| "cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e" \ |
| -- /usr/sbin/secagentd \ |
| --log_level="${LOG_LEVEL}" |