| # Copyright 2020 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Daemon to control authorization of external PCI devices" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services and started syslog |
| stop on stopping system-services |
| |
| expect fork |
| respawn |
| respawn limit 3 10 |
| # TODO(b/175884884): figure out what to do if pciguard crashes |
| |
| oom score -200 |
| |
| # minijail0 args: |
| # -i : Exit after fork, minijailed process to run in background |
| # -u -g : Run as specified user |
| # -c 2 : CAP_DAC_OVERRIDE |
| # -l : new IPC namespace |
| # -N : new cgroup namespace. |
| # -p : new PID namespace |
| # --uts : new UTS/hostname namespace |
| # -n : Set the no_new_privs bit |
| # --config <conf> : Minijail configuration file where all mounts and |
| # : bind-mounts are specified. |
| # -S <policy> : Use the specified seccomp policy |
| |
| exec minijail0 -i -u pciguard -g pciguard -c 2 -l -N -p --uts -n \ |
| --config /usr/share/minijail/pciguard.conf \ |
| -S /usr/share/policy/pciguard-seccomp.policy \ |
| /usr/sbin/pciguard |
