| # Copyright 2023 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Security event reporting daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Minimum log level defined in base/logging.h. |
| # 0:INFO, 1:WARNING, 2:ERROR, 3:ERROR_REPORT, 4:FATAL |
| # -1:VLOG(1), -2:VLOG(2), etc |
| # Set to log only INFO or above by default. |
| import SECAGENTD_LOG_LEVEL |
| |
| # Set this env var to true to bypass any policy checks and always report |
| # all events. |
| import BYPASS_POLICY_FOR_TESTING |
| |
| # Set this env var to true to bypass the initial wait for an Agent Start event |
| # to be enqueued successfully. |
| import BYPASS_ENQ_OK_WAIT_FOR_TESTING |
| |
| # Set this env var to true to stop reporting XDR events for unaffiliated users. |
| import STOP_REPORTING_FOR_UNAFFILIATED_USERS |
| |
| # Set this env var to the desired value of the agent heartbeat timer |
| # (> 0) period in seconds. |
| import SET_HEARTBEAT_PERIOD_S_FOR_TESTING |
| |
| # Set this env var to the desired value of the event batching interval |
| # in seconds. |
| import PLUGIN_BATCH_INTERVAL_S_FOR_TESTING |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| # secagentd keeps very little state and can easily recover so allow the OOM |
| # killer to terminate it. |
| oom score -100 |
| respawn |
| |
| # These enviroment variable may be modified in the ebuild file. |
| env SECAGENTD_FREEZER_CGROUP_DIR=/sys/fs/cgroup/freezer/secagentd |
| |
| script |
| # Args passed through to secagentd. |
| args="" |
| |
| # --log_level: The logging level. |
| v="${SECAGENTD_LOG_LEVEL}" |
| if [ -n "${v}" ]; then |
| args="${args} --log_level=${v}" |
| fi |
| |
| # --bypass_policy_for_testing: Skip checking the device policy for XDR |
| # reporting. |
| v="${BYPASS_POLICY_FOR_TESTING}" |
| if [ -n "${v}" ]; then |
| args="${args} --bypass_policy_for_testing=${v}" |
| fi |
| |
| # --bypass_enq_ok_wait_for_testing: Skip waiting for the first successful |
| # enqueueing of an agent start event before starting XDR reporting. |
| v="${BYPASS_ENQ_OK_WAIT_FOR_TESTING}" |
| if [ -n "${v}" ]; then |
| args="${args} --bypass_enq_ok_wait_for_testing=${v}" |
| fi |
| |
| # --stop_reporting_for_unaffiliated_users: Stops reporting when an |
| # unaffiliated user signs in. |
| v="${STOP_REPORTING_FOR_UNAFFILIATED_USERS}" |
| if [ -n "${v}" ]; then |
| args="${args} --stop_reporting_for_unaffiliated_users=${v}" |
| fi |
| |
| # --set_heartbeat_period_s_for_testing: Set timer for agent heartbeat. |
| v="${SET_HEARTBEAT_PERIOD_S_FOR_TESTING}" |
| if [ -n "${v}" ]; then |
| args="${args} --set_heartbeat_period_s_for_testing=${v}" |
| fi |
| |
| # --plugin_batch_interval_s_for_testing: Set event batch interval. |
| v="${PLUGIN_BATCH_INTERVAL_S_FOR_TESTING}" |
| if [ -n "${v}" ]; then |
| args="${args} --plugin_batch_interval_s_for_testing=${v}" |
| fi |
| |
| # Args passed to minijail0. |
| # Inherit supplementary groups. |
| jail="-G" |
| jail="${jail} --config /usr/share/minijail/secagentd.conf" |
| |
| exec minijail0 ${jail} -- /usr/sbin/secagentd ${args} |
| |
| end script |
| |
| post-start script |
| echo $(status | cut -f 4 -d ' ') > \ |
| "${SECAGENTD_FREEZER_CGROUP_DIR}/cgroup.procs" |
| end script |
