resourced/init/resourced.conf - third_party/platform2 - Git at Google

 # Copyright 2021 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start the Chromium OS Resource Manager daemon"
 author        "chromium-os-dev@chromium.org"

 start on started system-services
 stop on stopping system-services

 # Minijail forks off the desired process.
 expect fork

 # If the job respawns 10 times in 10 seconds, stop trying.
 respawn
 respawn limit 10 10

 # resourced handles low memory situations and shall not be OOM-killed.
 oom score never

 # Let the daemon crash if it grows too much. "as" is "address space" (VM
 # size). The typical VM size of resourced is about 14MB. Set the limit to
 # about 3x typical VM size.
 limit as 45000000 unlimited

 # Comments to the args in order:
 # -i: Exit immediately after fork. The jailed process will run in the
 #     background.
 # --uts: Create and enter new UTS namespace (hostname/NIS domain name).
 # -N: Create and enter new cgroup namespace.
 # -v: Create and enter new VFS namespace.
 # -P: Set /mnt/empty as the root fs using pivot_root.
 # -d: Create a new /dev mount with a minimal set of nodes.
 #
 # Mounts:
 # - Need read access to /.
 # - Need read access to /dev/log for syslog.
 # - Need write access to /proc for PSI monitor.
 # - Get a writeable and empty /run tmpfs path.
 # - Need access to /run/dbus for DBus communications.
 # - Need access to /run/chromeos-config for reading configuration.
 # - Get a writeable and empty /sys tmpfs path.
 # - Need access to /sys/kernel/mm/chromeos-low_mem for checking memory configs.
 # - Need write access to energy_performance_preference sysfs entries.
 # - Need read access to power_supply sysfs entries.
 # - Need read access to devices to follow power_supply symlinks.
 # - Need write access to gpu sysfs entries.
 # - Need write access to /sys/fs/cgroup/cpuset sysfs entries.
 # - Run as resourced user and group.
 # - Inherit supplementary groups from user resourced.
 # - Grant no caps.
 # - No new privileges (no_new_privs).
 # - Use the resourced seccomp policy.
 # - Execute the daemon.
 #
 # NOTE: We don't add "-e" since we want to receive udev events.
 script

   # powercap does not exist on ARM devies, conditionally bind mount.
   POWER_CAP_MOUNT=""
   if [ -d "/sys/class/powercap" ]; then
     POWER_CAP_MOUNT="-b /sys/class/powercap,,1 "
   fi

   exec minijail0                                                               \
     -i                                                                         \
     --uts                                                                      \
     -N                                                                         \
     -v                                                                         \
     -P /mnt/empty                                                              \
     -d                                                                         \
     -b /                                                                       \
     -b /dev/log                                                                \
     -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC'                          \
     -k 'tmpfs,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC'                         \
     -b /run/dbus                                                               \
     -b /run/chromeos-config/v1                                                 \
     -k 'tmpfs,/sys,tmpfs,MS_NODEV|MS_NOEXEC|MS_NOSUID,mode=755,size=10M'       \
     -b /sys/kernel/mm/chromeos-low_mem                                         \
     -b /sys/devices/system/cpu/cpufreq,,1                                      \
     -b /sys/class/power_supply,,1                                              \
     ${POWER_CAP_MOUNT}                                                         \
     -b /sys/devices,,1                                                         \
     -b /sys/fs/cgroup/cpuset,,1                                                \
     -b /sys/bus/cpu/devices                                                    \
     -b /sys/class/drm,,1                                                       \
     -u resourced -g resourced                                                  \
     -G                                                                         \
     -c 0                                                                       \
     -n                                                                         \
     -S /usr/share/policy/resourced-seccomp.policy                              \
     -- /usr/bin/resourced
 end script

 tmpfiles /usr/lib/tmpfiles.d/on-demand/resourced.conf
	# Copyright 2021 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the Chromium OS Resource Manager daemon"
	author "chromium-os-dev@chromium.org"

	start on started system-services
	stop on stopping system-services

	# Minijail forks off the desired process.
	expect fork

	# If the job respawns 10 times in 10 seconds, stop trying.
	respawn
	respawn limit 10 10

	# resourced handles low memory situations and shall not be OOM-killed.
	oom score never

	# Let the daemon crash if it grows too much. "as" is "address space" (VM
	# size). The typical VM size of resourced is about 14MB. Set the limit to
	# about 3x typical VM size.
	limit as 45000000 unlimited

	# Comments to the args in order:
	# -i: Exit immediately after fork. The jailed process will run in the
	# background.
	# --uts: Create and enter new UTS namespace (hostname/NIS domain name).
	# -N: Create and enter new cgroup namespace.
	# -v: Create and enter new VFS namespace.
	# -P: Set /mnt/empty as the root fs using pivot_root.
	# -d: Create a new /dev mount with a minimal set of nodes.
	#
	# Mounts:
	# - Need read access to /.
	# - Need read access to /dev/log for syslog.
	# - Need write access to /proc for PSI monitor.
	# - Get a writeable and empty /run tmpfs path.
	# - Need access to /run/dbus for DBus communications.
	# - Need access to /run/chromeos-config for reading configuration.
	# - Get a writeable and empty /sys tmpfs path.
	# - Need access to /sys/kernel/mm/chromeos-low_mem for checking memory configs.
	# - Need write access to energy_performance_preference sysfs entries.
	# - Need read access to power_supply sysfs entries.
	# - Need read access to devices to follow power_supply symlinks.
	# - Need write access to gpu sysfs entries.
	# - Need write access to /sys/fs/cgroup/cpuset sysfs entries.
	# - Run as resourced user and group.
	# - Inherit supplementary groups from user resourced.
	# - Grant no caps.
	# - No new privileges (no_new_privs).
	# - Use the resourced seccomp policy.
	# - Execute the daemon.
	#
	# NOTE: We don't add "-e" since we want to receive udev events.
	script

	# powercap does not exist on ARM devies, conditionally bind mount.
	POWER_CAP_MOUNT=""
	if [ -d "/sys/class/powercap" ]; then
	POWER_CAP_MOUNT="-b /sys/class/powercap,,1 "
	fi

	exec minijail0 \
	-i \
	--uts \
	-N \
	-v \
	-P /mnt/empty \
	-d \
	-b / \
	-b /dev/log \
	-k 'proc,/proc,proc,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k 'tmpfs,/run,tmpfs,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-b /run/dbus \
	-b /run/chromeos-config/v1 \
	-k 'tmpfs,/sys,tmpfs,MS_NODEV\|MS_NOEXEC\|MS_NOSUID,mode=755,size=10M' \
	-b /sys/kernel/mm/chromeos-low_mem \
	-b /sys/devices/system/cpu/cpufreq,,1 \
	-b /sys/class/power_supply,,1 \
	${POWER_CAP_MOUNT} \
	-b /sys/devices,,1 \
	-b /sys/fs/cgroup/cpuset,,1 \
	-b /sys/bus/cpu/devices \
	-b /sys/class/drm,,1 \
	-u resourced -g resourced \
	-G \
	-c 0 \
	-n \
	-S /usr/share/policy/resourced-seccomp.policy \
	-- /usr/bin/resourced
	end script

	tmpfiles /usr/lib/tmpfiles.d/on-demand/resourced.conf