secagentd/secagentd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2022 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Security event reporting daemon"
 author          "chromium-os-dev@chromium.org"

 # Minimum log level defined in base/logging.h.
 #   0:INFO, 1:WARNING, 2:ERROR, 3:ERROR_REPORT, 4:FATAL
 #   -1:VLOG(1), -2:VLOG(2), etc
 # Set to log only INFO or above by default.
 env SECAGENTD_LOG_LEVEL=0
 import SECAGENTD_LOG_LEVEL

 # Set this env var to true to bypass any policy checks and always report
 # all events.
 env BYPASS_POLICY_FOR_TESTING=false
 import BYPASS_POLICY_FOR_TESTING

 # Set this env var to true to bypass the initial wait for an Agent Start event
 # to be enqueued successfully.
 env BYPASS_ENQ_OK_WAIT_FOR_TESTING=false
 import BYPASS_ENQ_OK_WAIT_FOR_TESTING

 # Set this env var to the desired value of the agent heartbeat timer
 # (> 0) period in seconds.
 env SET_HEARTBEAT_PERIOD_S_FOR_TESTING=300
 import SET_HEARTBEAT_PERIOD_S_FOR_TESTING

 start on starting system-services
 stop on stopping system-services

 # secagentd keeps very little state and can easily recover so allow the OOM
 # killer to terminate it.
 oom score -100
 respawn

 # Minijail flags explanation:
 # -u: Run as user secagentd.
 # -g: Run as group secagentd.
 # -n: Prevents that execve gains privileges.
 # -c: Capabilties listed are needed for bpf functionality.
 #      cap_dac_read_search: Overrides DAC restrictions for reading files.
 #      cap_sys_resource: Needed for overriding memory limits.
 #      cap_perfmon: Needed for additional bpf operations (tracing).
 #      cap_bpf: Allows use of bpf operations.
 #      cap_sys_ptrace: Allows for using ptrace on processes.
 # --no-default-runtime-environment: Don't use the default security policy.

 # Secagentd flags explanation:
 # --log_level: The logging level.
 # --bypass_policy_for_testing: Skip checking the device policy for XDR
 #   reporting.
 # --bypass_enq_ok_wait_for_testing: Skip waiting for the first successful
 #     enqueueing of an agent start event before starting XDR reporting.
 # --set_heartbeat_period_s_for_testing: Set timer for agent heartbeat.

 exec minijail0 -u secagentd -g secagentd -n -c \
   "cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e" \
   --no-default-runtime-environment \
   -- /usr/sbin/secagentd \
   --log_level="${SECAGENTD_LOG_LEVEL}" \
   --bypass_policy_for_testing="${BYPASS_POLICY_FOR_TESTING}" \
   --bypass_enq_ok_wait_for_testing="${BYPASS_ENQ_OK_WAIT_FOR_TESTING}" \
   --set_heartbeat_period_s_for_testing="${SET_HEARTBEAT_PERIOD_S_FOR_TESTING}"
	# Copyright 2022 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Security event reporting daemon"
	author "chromium-os-dev@chromium.org"

	# Minimum log level defined in base/logging.h.
	# 0:INFO, 1:WARNING, 2:ERROR, 3:ERROR_REPORT, 4:FATAL
	# -1:VLOG(1), -2:VLOG(2), etc
	# Set to log only INFO or above by default.
	env SECAGENTD_LOG_LEVEL=0
	import SECAGENTD_LOG_LEVEL

	# Set this env var to true to bypass any policy checks and always report
	# all events.
	env BYPASS_POLICY_FOR_TESTING=false
	import BYPASS_POLICY_FOR_TESTING

	# Set this env var to true to bypass the initial wait for an Agent Start event
	# to be enqueued successfully.
	env BYPASS_ENQ_OK_WAIT_FOR_TESTING=false
	import BYPASS_ENQ_OK_WAIT_FOR_TESTING

	# Set this env var to the desired value of the agent heartbeat timer
	# (> 0) period in seconds.
	env SET_HEARTBEAT_PERIOD_S_FOR_TESTING=300
	import SET_HEARTBEAT_PERIOD_S_FOR_TESTING

	start on starting system-services
	stop on stopping system-services

	# secagentd keeps very little state and can easily recover so allow the OOM
	# killer to terminate it.
	oom score -100
	respawn

	# Minijail flags explanation:
	# -u: Run as user secagentd.
	# -g: Run as group secagentd.
	# -n: Prevents that execve gains privileges.
	# -c: Capabilties listed are needed for bpf functionality.
	# cap_dac_read_search: Overrides DAC restrictions for reading files.
	# cap_sys_resource: Needed for overriding memory limits.
	# cap_perfmon: Needed for additional bpf operations (tracing).
	# cap_bpf: Allows use of bpf operations.
	# cap_sys_ptrace: Allows for using ptrace on processes.
	# --no-default-runtime-environment: Don't use the default security policy.

	# Secagentd flags explanation:
	# --log_level: The logging level.
	# --bypass_policy_for_testing: Skip checking the device policy for XDR
	# reporting.
	# --bypass_enq_ok_wait_for_testing: Skip waiting for the first successful
	# enqueueing of an agent start event before starting XDR reporting.
	# --set_heartbeat_period_s_for_testing: Set timer for agent heartbeat.

	exec minijail0 -u secagentd -g secagentd -n -c \
	"cap_dac_read_search,cap_sys_resource,cap_perfmon,cap_bpf,cap_sys_ptrace=e" \
	--no-default-runtime-environment \
	-- /usr/sbin/secagentd \
	--log_level="${SECAGENTD_LOG_LEVEL}" \
	--bypass_policy_for_testing="${BYPASS_POLICY_FOR_TESTING}" \
	--bypass_enq_ok_wait_for_testing="${BYPASS_ENQ_OK_WAIT_FOR_TESTING}" \
	--set_heartbeat_period_s_for_testing="${SET_HEARTBEAT_PERIOD_S_FOR_TESTING}"