| # Copyright 2022 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Security event reporting daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Minimum log level defined in base/logging.h. |
| # 0:INFO, 1:WARNING, 2:ERROR, 3:ERROR_REPORT, 4:FATAL |
| # -1:VLOG(1), -2:VLOG(2), etc |
| # Set to log only INFO or above by default. |
| env SECAGENTD_LOG_LEVEL=0 |
| import SECAGENTD_LOG_LEVEL |
| |
| # Set this env var to true to bypass any policy checks and always report |
| # all events. |
| env BYPASS_POLICY_FOR_TESTING=false |
| import BYPASS_POLICY_FOR_TESTING |
| |
| # Set this env var to true to bypass the initial wait for an Agent Start event |
| # to be enqueued successfully. |
| env BYPASS_ENQ_OK_WAIT_FOR_TESTING=false |
| import BYPASS_ENQ_OK_WAIT_FOR_TESTING |
| |
| # Set this env var to the desired value of the agent heartbeat timer |
| # (> 0) period in seconds. |
| env SET_HEARTBEAT_PERIOD_S_FOR_TESTING=300 |
| import SET_HEARTBEAT_PERIOD_S_FOR_TESTING |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| # secagentd keeps very little state and can easily recover so allow the OOM |
| # killer to terminate it. |
| oom score -100 |
| respawn |
| |
| # Minijail flags explanation: |
| # -u: Run as user secagentd. |
| # -g: Run as group secagentd. |
| # -n: Prevents that execve gains privileges. |
| # -c: Capabilties listed are needed for bpf functionality. |
| # cap_dac_read_search: Overrides DAC restrictions for reading files. |
| # cap_sys_resource: Needed for overriding memory limits. |
| # cap_perfmon: Needed for additional bpf operations (tracing). |
| # cap_bpf: Allows use of bpf operations. |
| # cap_sys_ptrace: Allows for using ptrace on processes. |
| # --no-default-runtime-environment: Don't use the default security policy. |
| |
| # Secagentd flags explanation: |
| # --log_level: The logging level. |
| # --bypass_policy_for_testing: Skip checking the device policy for XDR |
| # reporting. |
| # --bypass_enq_ok_wait_for_testing: Skip waiting for the first successful |
| # enqueueing of an agent start event before starting XDR reporting. |
| # --set_heartbeat_period_s_for_testing: Set timer for agent heartbeat. |
| |
| exec minijail0 -u secagentd -g secagentd -n -c \ |
| "cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e" \ |
| --no-default-runtime-environment \ |
| -- /usr/sbin/secagentd \ |
| --log_level="${SECAGENTD_LOG_LEVEL}" \ |
| --bypass_policy_for_testing="${BYPASS_POLICY_FOR_TESTING}" \ |
| --bypass_enq_ok_wait_for_testing="${BYPASS_ENQ_OK_WAIT_FOR_TESTING}" \ |
| --set_heartbeat_period_s_for_testing="${SET_HEARTBEAT_PERIOD_S_FOR_TESTING}" |