fbpreprocessor/init/fbpreprocessord.conf - third_party/platform2 - Git at Google

 # Copyright 2023 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start the Chromium OS debug data preprocessing daemon"
 author        "chromium-os-dev@chromium.org"

 start on started system-services
 stop on stopping system-services
 respawn
 respawn limit 3 10  # if the job respawns 3 times in 10 seconds, stop trying.

 oom score -100

 expect fork

 env LOG_LEVEL=0
 env DAEMON_STORE=/run/daemon-store/fbpreprocessord
 env FILE_EXPIRATION_SECS=1800

 # Make it possible to set the variable from upstart command line.
 import FILE_EXPIRATION_SECS
 import LOG_LEVEL


 # Here (in order) are a list of the args added:
 # - Exit minijail0 after fork / send fbpreprocessord "to background."
 # - Create and enter new UTS namespace (hostname/NIS domain name).
 # - Create and enter new network namespace.
 # - Create and enter new IPC namespace.
 # - Create and enter new cgroup namespace.
 # - Create and enter new PID namespace.
 # - Set mount namespace to be a slave mount.
 # - Set up a new VFS namespace (although this should be covered by
 #   minimalistic-mountns, leaving this out yields the following error:
 #   "Can't skip marking mounts as MS_PRIVATE without mount namespaces.")
 # - Use the minimal mountns profile to start.
 # - Get a writeable and empty /run tmpfs path.
 # - Mount dbus.
 # - Mount writable /run/fbpreprocessord directory to write the value of the
 #   Finch flag.
 # - Mount daemon store with the MS_BIND|MS_REC options to handle the case
 #   fbpreprocessord starts after the user's cryptohome is already mounted
 #   (e.g. after a crash).
 # - Get a writeable and empty /var tmpfs path.
 # - Mount the metrics directory.
 # - Run as fbpreprocessord user and group.
 # - Inherit supplementary groups from user fbpreprocessor.
 # - Grant no caps.
 # - No new privileges (no_new_privs).
 # - Apply seccomp filters.
 # - Execute the daemon.
 # - Set the log level.
 # - Pipe output to fbpreprocessord.out.
 exec minijail0                                                               \
   -i                                                                         \
   --uts                                                                      \
   -e                                                                         \
   -l                                                                         \
   -N                                                                         \
   -p                                                                         \
   -Kslave                                                                    \
   -v                                                                         \
   --profile minimalistic-mountns                                             \
   -k "tmpfs,/run,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M"       \
   -b /run/dbus                                                               \
   -b /run/fbpreprocessord,,1                                                 \
   -k "${DAEMON_STORE},${DAEMON_STORE},none,MS_BIND|MS_REC"                   \
   -k "tmpfs,/var,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M"       \
   -b /var/lib/metrics,,1                                                     \
   -b /sys                                                                    \
   -u fbpreprocessor -g fbpreprocessor                                        \
   -G                                                                         \
   -c 0                                                                       \
   -n                                                                         \
   -S /usr/share/policy/fbpreprocessord.policy                                \
   -- /usr/bin/fbpreprocessord                                                \
   --log_level=${LOG_LEVEL}                                                   \
   --file_expiration=${FILE_EXPIRATION_SECS}
	# Copyright 2023 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the Chromium OS debug data preprocessing daemon"
	author "chromium-os-dev@chromium.org"

	start on started system-services
	stop on stopping system-services
	respawn
	respawn limit 3 10 # if the job respawns 3 times in 10 seconds, stop trying.

	oom score -100

	expect fork

	env LOG_LEVEL=0
	env DAEMON_STORE=/run/daemon-store/fbpreprocessord
	env FILE_EXPIRATION_SECS=1800

	# Make it possible to set the variable from upstart command line.
	import FILE_EXPIRATION_SECS
	import LOG_LEVEL


	# Here (in order) are a list of the args added:
	# - Exit minijail0 after fork / send fbpreprocessord "to background."
	# - Create and enter new UTS namespace (hostname/NIS domain name).
	# - Create and enter new network namespace.
	# - Create and enter new IPC namespace.
	# - Create and enter new cgroup namespace.
	# - Create and enter new PID namespace.
	# - Set mount namespace to be a slave mount.
	# - Set up a new VFS namespace (although this should be covered by
	# minimalistic-mountns, leaving this out yields the following error:
	# "Can't skip marking mounts as MS_PRIVATE without mount namespaces.")
	# - Use the minimal mountns profile to start.
	# - Get a writeable and empty /run tmpfs path.
	# - Mount dbus.
	# - Mount writable /run/fbpreprocessord directory to write the value of the
	# Finch flag.
	# - Mount daemon store with the MS_BIND\|MS_REC options to handle the case
	# fbpreprocessord starts after the user's cryptohome is already mounted
	# (e.g. after a crash).
	# - Get a writeable and empty /var tmpfs path.
	# - Mount the metrics directory.
	# - Run as fbpreprocessord user and group.
	# - Inherit supplementary groups from user fbpreprocessor.
	# - Grant no caps.
	# - No new privileges (no_new_privs).
	# - Apply seccomp filters.
	# - Execute the daemon.
	# - Set the log level.
	# - Pipe output to fbpreprocessord.out.
	exec minijail0 \
	-i \
	--uts \
	-e \
	-l \
	-N \
	-p \
	-Kslave \
	-v \
	--profile minimalistic-mountns \
	-k "tmpfs,/run,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M" \
	-b /run/dbus \
	-b /run/fbpreprocessord,,1 \
	-k "${DAEMON_STORE},${DAEMON_STORE},none,MS_BIND\|MS_REC" \
	-k "tmpfs,/var,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M" \
	-b /var/lib/metrics,,1 \
	-b /sys \
	-u fbpreprocessor -g fbpreprocessor \
	-G \
	-c 0 \
	-n \
	-S /usr/share/policy/fbpreprocessord.policy \
	-- /usr/bin/fbpreprocessord \
	--log_level=${LOG_LEVEL} \
	--file_expiration=${FILE_EXPIRATION_SECS}