Google Git
Sign in
chromium / chromiumos / platform2 / HEAD / . / patchpanel / init / patchpanel.conf
blob: a9063b2054765ab1323e3dc371dddd178205978c [file] [log] [blame]
# Copyright 2015 The ChromiumOS Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Starts platform guest networking services"
author "chromium-os-dev@chromium.org"
start on starting system-services or starting openssh-server
stop on stopping system-services
respawn
respawn limit 3 10
# Do not respawn if the service is terminated on purpose.
normal exit 0
# Minijail actually forks off the desired process.
expect fork
# Killable for memory leaks.
oom score -100
# This limit is high to accommodate the adb-proxy child process which will
# attempt to mmap over 200MB on first connect.
limit as 400000000 unlimited
pre-start script
# CAP_BPF and `--no-default-runtime-environment` to enable bpf operations.
# `-G` to inherit bpf-access group. Note that this is just a one-shot program
# but not a daemon. Always ingore the non-zero exit code since it will make
# the pre-start script failed and thus block the main patchpanel process.
minijail0 -u patchpaneld -g patchpaneld -G --no-default-runtime-environment \
-c cap_bpf=e /usr/bin/patchpanel_bpf_loader || true
end script
script
# Record the patchpanel start event at /run/bootstat/uptime-patchpanel-start.
bootstat patchpanel-start
# Start constructing minijail0 args...
args=""
# Make sure minijail0 exits right away and won't block upstart.
args="${args} -i"
# Run as patchpaneld user and group.
args="${args} -u patchpaneld -g patchpaneld"
# Inherit supplementary groups.
args="${args} -G"
# Prevent that execve gains privileges, required for seccomp filters.
args="${args} -n"
# Avoid locking SECURE_KEEP_CAPS flag.
args="${args} -B 20"
# So that child processes can inherit runtime capabilities.
args="${args} --ambient"
# --no-default-runtime-environment to enable BPF operations.
args="${args} --no-default-runtime-environment"
# Start constructing arg for capabilities...
# CAP_NET_ADMIN and CAP_NET_RAW are required by a variety of functionalities
# in patchpanel for network management.
caps="cap_net_admin,cap_net_raw"
# TODO(b/294449735): Find a way to remove these two CAPs.
# CAP_SYS_CHROOT and CAP_CHOWN are required by entering the mount namespace of
# ARC container and changing the owner of several files in that.
caps="${caps},cap_sys_chroot,cap_chown"
# CAP_SETUID and CAP_SETGID are used to change user and group to nobody when
# forking processes. The transition is protected by SafeSetID LSM.
caps="${caps},cap_setuid,cap_setgid"
# CAP_SETPCAP is required to set CAPs when forking processes.
caps="${caps},cap_setpcap"
# CAP_NET_BIND_SERVICE is required by DHCP server.
caps="${caps},cap_net_bind_service"
# CAP_SYS_ADMIN is required by several operations related to namespaces.
# TODO(b/293389589#comment8): Investigate how to drop it from the main
# process.
caps="${caps},cap_sys_admin"
# CAP_SYS_PTRACE is required by `ip netns` command to read the netns owned by
# other processes.
caps="${caps},cap_sys_ptrace"
# CAP_SYS_MODULE is required for loading kernel modules on behalf of ARC.
caps="${caps},cap_sys_module"
# CAP_BPF is required for attaching BPF programs by iptables.
# TODO(b/311100871): Revisit the usage of CAP_BPF.
caps="${caps},cap_bpf"
args="${args} -c ${caps}=e"
# Execute patchpaneld.
args="${args} /usr/bin/patchpaneld"
exec minijail0 ${args}
end script
# Mark service as started after D-Bus service is ready. Also log the metrics,
# which can be found at /run/bootstat/uptime-patchpanel-started.
post-start script
minijail0 -u patchpaneld -g patchpaneld \
/usr/bin/gdbus wait --system --timeout 60 org.chromium.PatchPanel
bootstat patchpanel-started
end script