chromeos-base/perfetto/files/init/traced.conf - third_party/overlays/chromiumos-overlay - Git at Google

 # Copyright 2020 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Starts perfetto system tracing service and probes"
 author        "chromium-os-dev@chromium.org"

 # traced is the Perfetto tracing service daemon for collecting performance
 # trace of the system. The daemon provides service to entities that writes the
 # trace data (producers) and entities that controls trace collection and reads
 # collected trace data (consumers) through IPC channels and the entities are
 # isolated from each other. See https://perfetto.dev/docs/concepts/service-model
 # for more information about the service and http://go/crosetto-security
 # (internal doc) about the security design of this service.
 start on started system-services
 stop on stopping system-services

 expect fork
 respawn
 respawn limit 10 10
 oom score -100
 # Use ~900 MiB, which is 10 times of peak VM usage from a local session, for the
 # limit of VM usage.
 # Note that internally perfetto has it's own watchdog and will self-kill if its
 # memory budget exceeds SUM(tracing buffers) + 32MB slack.
 limit as 900000000 unlimited

 # This directory is created by tmpfiles.d/traced.conf.
 env PERFETTO_SOCK_DIR=/run/perfetto

 pre-start script
   # Remove socket files from earlier traced runs (if any).
   rm -rf "${PERFETTO_SOCK_DIR}"/*
 end script

 # minijail0 args.
 # -u traced -g traced: run as user: traced, group: traced.
 # -G: Inherit supplementary groups from new uid.
 # -c 0: Grant no caps.
 # -i: fork immediately and don't block the startup.
 # -l: enter a new IPC namespace.
 # -N: enter a new cgroup namespace.
 # -e: enter a new network namespace.
 # --uts: enter a new UTS namespace.
 # -n: set no new_privs.
 # --profile=minimalistic-mountns -t: set up minimalistic mounts and /tmp.
 # -k tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC: mount tmpfs at /run.
 # -b ${PERFETTO_SOCK_DIR},,1: bind mount ${PERFETTO_SOCK_DIR} that hosts the
 #    socket files.
 # -p: enter a new PID namespace.
 # -S /usr/share/policy/traced.policy: set up seccomp policy.
 exec /sbin/minijail0 -u traced -g traced \
   -G -c 0 -i -l -N -e --uts -n \
   --profile=minimalistic-mountns -t \
   -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
   -b "${PERFETTO_SOCK_DIR}",,1 \
   -p \
   -S /usr/share/policy/traced.policy \
   -- /usr/bin/traced \
     --set-socket-permissions traced-producer:0660:traced-consumer:0660
	# Copyright 2020 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Starts perfetto system tracing service and probes"
	author "chromium-os-dev@chromium.org"

	# traced is the Perfetto tracing service daemon for collecting performance
	# trace of the system. The daemon provides service to entities that writes the
	# trace data (producers) and entities that controls trace collection and reads
	# collected trace data (consumers) through IPC channels and the entities are
	# isolated from each other. See https://perfetto.dev/docs/concepts/service-model
	# for more information about the service and http://go/crosetto-security
	# (internal doc) about the security design of this service.
	start on started system-services
	stop on stopping system-services

	expect fork
	respawn
	respawn limit 10 10
	oom score -100
	# Use ~900 MiB, which is 10 times of peak VM usage from a local session, for the
	# limit of VM usage.
	# Note that internally perfetto has it's own watchdog and will self-kill if its
	# memory budget exceeds SUM(tracing buffers) + 32MB slack.
	limit as 900000000 unlimited

	# This directory is created by tmpfiles.d/traced.conf.
	env PERFETTO_SOCK_DIR=/run/perfetto

	pre-start script
	# Remove socket files from earlier traced runs (if any).
	rm -rf "${PERFETTO_SOCK_DIR}"/*
	end script

	# minijail0 args.
	# -u traced -g traced: run as user: traced, group: traced.
	# -G: Inherit supplementary groups from new uid.
	# -c 0: Grant no caps.
	# -i: fork immediately and don't block the startup.
	# -l: enter a new IPC namespace.
	# -N: enter a new cgroup namespace.
	# -e: enter a new network namespace.
	# --uts: enter a new UTS namespace.
	# -n: set no new_privs.
	# --profile=minimalistic-mountns -t: set up minimalistic mounts and /tmp.
	# -k tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC: mount tmpfs at /run.
	# -b ${PERFETTO_SOCK_DIR},,1: bind mount ${PERFETTO_SOCK_DIR} that hosts the
	# socket files.
	# -p: enter a new PID namespace.
	# -S /usr/share/policy/traced.policy: set up seccomp policy.
	exec /sbin/minijail0 -u traced -g traced \
	-G -c 0 -i -l -N -e --uts -n \
	--profile=minimalistic-mountns -t \
	-k 'tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-b "${PERFETTO_SOCK_DIR}",,1 \
	-p \
	-S /usr/share/policy/traced.policy \
	-- /usr/bin/traced \
	--set-socket-permissions traced-producer:0660:traced-consumer:0660