1exe,euser,egroup,pidns,mntns,caps,nonewprivs,filter
2
3# This is a comma separated file listing services that run on the device and the
4# expected security features that are enabled for it.
5#
6# Note: If you add a new service and it's being rejected because it's running as
7# root, do not just whitelist it here.  Services should rarely be running under
8# the root account.  Spend the time to improve the security of the system early
9# rather than trying to retrofit it later (especially in response to an attack).
10#
11# The fields:
12# exe: The name of the process in /proc/PID/comm (Note the 15 char limit).
13# euser: The user the account runs under (e.g. "syslog").
14# egroup: The group the account runs under (e.g. "syslog").
15# pidns: Whether the process runs in a unique pid namespace (Yes|No).
16# mntns: Whether the process runs in a unique mount namespace with
17#        pivot_root(2) (Yes|No).
18# caps: Whether the process runs with restricted capabilities (Yes|No).
19# nonewprivs: Whether the process runs with no_new_privs set (minijail's -n).
20# filter: Whether the process runs with a seccomp filter (Yes|No).
21#
22# exe,euser,egroup are mandatory checks.  All the other fields are opt-in.  That
23# is to say, a "No" setting means the check is skipped, while a "Yes" setting
24# enforces the permission setting.
25
26# Since udev creates device nodes and changes owners/perms, it needs to run as
27# root.  TODO: We should namespace it.
28udevd,root,root,No,No,No,No,No
29
30# Frecon needs to run as root and in the original namespace because it might
31# launch new shells via login.  Would be nice if it integrated things.
32frecon,root,root,No,No,No,No,No
33
34session_manager,root,root,No,No,No,No,No
35rsyslogd,syslog,syslog,No,Yes,Yes,No,No
36systemd-journal,syslog,syslog,No,Yes,Yes,No,No
37dbus-daemon,messagebus,messagebus,No,No,Yes,No,No
38wpa_supplicant,wpa,wpa,No,No,Yes,Yes,No
39shill,shill,shill,No,No,Yes,Yes,No
40chapsd,chaps,chronos-access,No,No,Yes,Yes,No
41cryptohomed,root,root,No,No,No,No,No
42powerd,power,power,No,No,Yes,No,No
43ModemManager,modem,modem,No,No,Yes,Yes,No
44dhcpcd,dhcp,dhcp,No,No,Yes,No,No
45memd,root,root,Yes,Yes,No,Yes,Yes
46metrics_daemon,root,root,No,No,No,No,No
47disks,cros-disks,cros-disks,No,No,Yes,Yes,No
48update_engine,root,root,No,No,No,No,No
49bluetoothd,bluetooth,bluetooth,No,No,Yes,Yes,No
50debugd,root,root,No,Yes,No,No,No
51cras,cras,cras,No,Yes,Yes,Yes,No
52tcsd,tss,root,No,No,Yes,No,No
53cromo,cromo,cromo,No,No,No,No,No
54wimax-manager,root,root,No,No,No,No,No
55mtpd,mtp,mtp,Yes,Yes,Yes,Yes,Yes
56tlsdated,tlsdate,tlsdate,No,No,Yes,No,No
57tlsdated-setter,root,root,No,No,No,Yes,Yes
58lid_touchpad_he,root,root,No,No,No,No,No
59thermal.sh,root,root,No,No,No,No,No
60daisydog,watchdog,watchdog,Yes,Yes,Yes,Yes,No
61permission_brok,devbroker,root,No,No,Yes,Yes,No
62netfilter-queue,nfqueue,nfqueue,No,No,Yes,No,Yes
63anomaly_collect,root,root,No,No,No,No,No
64attestationd,attestation,attestation,No,No,Yes,Yes,Yes
65periodic_schedu,root,root,No,No,No,No,No
66esif_ufd,root,root,No,No,No,No,No
67easy_unlock,easy-unlock,easy-unlock,No,No,No,No,No
68sslh-fork,sslh,sslh,Yes,Yes,Yes,No,Yes
69upstart-socket-,root,root,No,No,No,No,No
70timberslide,root,root,No,No,No,No,No
71firewalld,firewall,firewall,Yes,Yes,Yes,Yes,No
72conntrackd,nfqueue,nfqueue,No,Yes,Yes,Yes,Yes
73avahi-daemon,avahi,avahi,No,No,Yes,No,No
74upstart-udev-br,root,root,No,No,No,No,No
75midis,midis,midis,Yes,Yes,Yes,Yes,Yes
76
77# Biometrics services.
78bio_crypto_init,biod,biod,Yes,Yes,Yes,Yes,Yes
79biod,biod,biod,Yes,Yes,Yes,Yes,Yes
80
81# Chrome OS camera services.
82cros_camera_service,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes
83cros_camera_algo,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes
84
85# ARC-related services running on Chrome OS.
86arc_camera_serv,arc-camera,arc-camera,No,No,Yes,No,No
87arc-networkd,root,root,No,No,No,No,No
88arc-obb-mounter,root,root,Yes,Yes,No,No,No
89arc-oemcrypto,arc-oemcrypto,arc-oemcrypto,Yes,Yes,Yes,Yes,Yes
90
91# Broadcomm Bluetooth firmware patch downloader runs on some veyron boards.
92brcm_patchram_p,root,root,No,No,No,No,No
93
94# tpm_managerd and trunks run on all TPM2 boards, such as reef.
95tpm_managerd,root,root,No,No,No,No,No
96trunksd,trunks,trunks,No,No,Yes,Yes,Yes
97
98# ARC container.
99# root inside the ARC container.
100app_process,android-root,android-root,Yes,Yes,No,No,No
101debuggerd,android-root,android-root,Yes,Yes,No,No,No
102debuggerd:sig,android-root,android-root,Yes,Yes,No,No,No
103healthd,android-root,android-root,Yes,Yes,No,No,No
104vold,android-root,android-root,Yes,Yes,No,No,No
105
106# Non-root inside the ARC container.
107boot_latch,656360,656360,Yes,Yes,Yes,No,No
108bugreportd,657360,656367,Yes,Yes,Yes,No,No
109logd,656396,656396,Yes,Yes,Yes,No,No
110servicemanager,656360,656360,Yes,Yes,Yes,No,No
111surfaceflinger,656360,656363,Yes,Yes,Yes,No,No
112
113# Chrome OS one-off init scripts.
114# These are small setup scripts that don't spawn daemons and are short lived.
115activate_date.s,root,root,No,No,No,No,No
116crx-import.sh,root,root,No,No,No,No,No
117lockbox-cache.s,root,root,No,No,No,No,No
118powerd-pre-star,root,root,No,No,No,No,No
119