| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Starts perfetto system tracing service and probes" |
| author "chromium-os-dev@chromium.org" |
| |
| # traced is the Perfetto tracing service daemon for collecting performance |
| # trace of the system. The daemon provides service to entities that writes the |
| # trace data (producers) and entities that controls trace collection and reads |
| # collected trace data (consumers) through IPC channels and the entities are |
| # isolated from each other. See https://perfetto.dev/docs/concepts/service-model |
| # for more information about the service and http://go/crosetto-security |
| # (internal doc) about the security design of this service. |
| start on started system-services |
| stop on stopping system-services |
| |
| expect fork |
| respawn |
| respawn limit 10 10 |
| oom score -100 |
| # Use ~900 MiB, which is 10 times of peak VM usage from a local session, for the |
| # limit of VM usage. |
| # Note that internally perfetto has it's own watchdog and will self-kill if its |
| # memory budget exceeds SUM(tracing buffers) + 32MB slack. |
| limit as 900000000 unlimited |
| |
| # This directory is created by tmpfiles.d/traced.conf. |
| env PERFETTO_SOCK_DIR=/run/perfetto |
| |
| pre-start script |
| # Remove socket files from earlier traced runs (if any). |
| rm -rf "${PERFETTO_SOCK_DIR}"/* |
| end script |
| |
| # minijail0 args. |
| # -u traced -g traced: run as user: traced, group: traced. |
| # -G: Inherit supplementary groups from new uid. |
| # -c 0: Grant no caps. |
| # -i: fork immediately and don't block the startup. |
| # -l: enter a new IPC namespace. |
| # -N: enter a new cgroup namespace. |
| # -e: enter a new network namespace. |
| # --uts: enter a new UTS namespace. |
| # -n: set no new_privs. |
| # --profile=minimalistic-mountns -t: set up minimalistic mounts and /tmp. |
| # -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC: mount tmpfs at /run. |
| # -b ${PERFETTO_SOCK_DIR},,1: bind mount ${PERFETTO_SOCK_DIR} that hosts the |
| # socket files. |
| # -p: enter a new PID namespace. |
| # -S /usr/share/policy/traced.policy: set up seccomp policy. |
| exec /sbin/minijail0 -u traced -g traced \ |
| -G -c 0 -i -l -N -e --uts -n \ |
| --profile=minimalistic-mountns -t \ |
| -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b "${PERFETTO_SOCK_DIR}",,1 \ |
| -p \ |
| -S /usr/share/policy/traced.policy \ |
| -- /usr/bin/traced \ |
| --set-socket-permissions traced-producer:0660:traced-consumer:0660 |