blob: 2a25a9d0314e10a84c4b86a5508dce33018ae56c [file] [log] [blame] [edit]
exe,euser,egroup,pidns,mntns,caps,nonewprivs,filter
# This is a comma separated file listing services that run on the device and the
# expected security features that are enabled for it.
#
# Note: If you add a new service and it's being rejected because it's running as
# root, do not just whitelist it here. Services should rarely be running under
# the root account. Spend the time to improve the security of the system early
# rather than trying to retrofit it later (especially in response to an attack).
#
# The fields:
# exe: The name of the process in /proc/PID/comm (Note the 15 char limit).
# euser: The user the account runs under (e.g. "syslog").
# egroup: The group the account runs under (e.g. "syslog").
# pidns: Whether the process runs in a unique pid namespace (Yes|No).
# mntns: Whether the process runs in a unique mount namespace with
# pivot_root(2) (Yes|No).
# caps: Whether the process runs with restricted capabilities (Yes|No).
# nonewprivs: Whether the process runs with no_new_privs set (minijail's -n).
# filter: Whether the process runs with a seccomp filter (Yes|No).
#
# exe,euser,egroup are mandatory checks. All the other fields are opt-in. That
# is to say, a "No" setting means the check is skipped, while a "Yes" setting
# enforces the permission setting.
# Since udev creates device nodes and changes owners/perms, it needs to run as
# root. TODO: We should namespace it.
udevd,root,root,No,No,No,No,No
# Frecon needs to run as root and in the original namespace because it might
# launch new shells via login. Would be nice if it integrated things.
frecon,root,root,No,No,No,No,No
session_manager,root,root,No,No,No,No,No
rsyslogd,syslog,syslog,No,Yes,Yes,No,No
systemd-journal,syslog,syslog,No,Yes,Yes,No,No
dbus-daemon,messagebus,messagebus,No,No,Yes,No,No
wpa_supplicant,wpa,wpa,No,No,Yes,Yes,No
shill,shill,shill,No,No,Yes,Yes,No
chapsd,chaps,chronos-access,No,No,Yes,Yes,No
cryptohomed,root,root,No,No,No,No,No
powerd,power,power,No,No,Yes,No,No
ModemManager,modem,modem,No,No,Yes,Yes,No
dhcpcd,dhcp,dhcp,No,No,Yes,No,No
memd,root,root,Yes,Yes,No,Yes,Yes
metrics_daemon,root,root,No,No,No,No,No
disks,cros-disks,cros-disks,No,No,Yes,Yes,No
update_engine,root,root,No,No,No,No,No
bluetoothd,bluetooth,bluetooth,No,No,Yes,Yes,No
debugd,root,root,No,Yes,No,No,No
cras,cras,cras,No,Yes,Yes,Yes,No
tcsd,tss,tss,No,No,Yes,No,No
cromo,cromo,cromo,No,No,No,No,No
wimax-manager,root,root,No,No,No,No,No
mtpd,mtp,mtp,Yes,Yes,Yes,Yes,Yes
tlsdated,tlsdate,tlsdate,No,No,Yes,No,No
tlsdated-setter,root,root,No,No,No,Yes,Yes
lid_touchpad_he,root,root,No,No,No,No,No
thermal.sh,root,root,No,No,No,No,No
daisydog,watchdog,watchdog,Yes,Yes,Yes,Yes,No
permission_brok,devbroker,root,No,No,Yes,Yes,No
netfilter-queue,nfqueue,nfqueue,No,No,Yes,No,Yes
anomaly_detecto,root,root,No,No,No,No,No
attestationd,attestation,attestation,No,No,Yes,Yes,Yes
periodic_schedu,root,root,No,No,No,No,No
esif_ufd,root,root,No,No,No,No,No
easy_unlock,easy-unlock,easy-unlock,No,No,No,No,No
sslh-fork,sslh,sslh,Yes,Yes,Yes,No,Yes
upstart-socket-,root,root,No,No,No,No,No
timberslide,root,root,No,No,No,No,No
firewalld,firewall,firewall,Yes,Yes,Yes,Yes,No
conntrackd,nfqueue,nfqueue,No,Yes,Yes,Yes,Yes
avahi-daemon,avahi,avahi,No,No,Yes,No,No
upstart-udev-br,root,root,No,No,No,No,No
midis,midis,midis,Yes,Yes,Yes,Yes,Yes
# Biometrics services.
bio_crypto_init,biod,biod,Yes,Yes,Yes,Yes,Yes
biod,biod,biod,Yes,Yes,Yes,Yes,Yes
# Chrome OS camera services.
cros_camera_service,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes
cros_camera_algo,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes
# ARC-related services running on Chrome OS.
arc_camera_serv,arc-camera,arc-camera,No,No,Yes,No,No
arc-networkd,root,root,No,No,No,No,No
arc-obb-mounter,root,root,Yes,Yes,No,No,No
arc-oemcrypto,arc-oemcrypto,arc-oemcrypto,Yes,Yes,Yes,Yes,Yes
# Broadcomm Bluetooth firmware patch downloader runs on some veyron boards.
brcm_patchram_p,root,root,No,No,No,No,No
# tpm_managerd and trunks run on all TPM2 boards, such as reef.
tpm_managerd,root,root,No,No,No,No,No
trunksd,trunks,trunks,No,No,Yes,Yes,Yes
# ARC container.
# root inside the ARC container.
app_process,android-root,android-root,Yes,Yes,No,No,No
debuggerd,android-root,android-root,Yes,Yes,No,No,No
debuggerd:sig,android-root,android-root,Yes,Yes,No,No,No
healthd,android-root,android-root,Yes,Yes,No,No,No
vold,android-root,android-root,Yes,Yes,No,No,No
# Non-root inside the ARC container.
boot_latch,656360,656360,Yes,Yes,Yes,No,No
bugreportd,657360,656367,Yes,Yes,Yes,No,No
logd,656396,656396,Yes,Yes,Yes,No,No
servicemanager,656360,656360,Yes,Yes,Yes,No,No
surfaceflinger,656360,656363,Yes,Yes,Yes,No,No
# Chrome OS one-off init scripts.
# These are small setup scripts that don't spawn daemons and are short lived.
activate_date.s,root,root,No,No,No,No,No
crx-import.sh,root,root,No,No,No,No,No
lockbox-cache.s,root,root,No,No,No,No,No
powerd-pre-star,root,root,No,No,No,No,No