1exe,euser,egroup,pidns,mntns,caps,nonewprivs,filter 2 3# This is a comma separated file listing services that run on the device and the 4# expected security features that are enabled for it. 5# 6# Note: If you add a new service and it's being rejected because it's running as 7# root, do not just whitelist it here. Services should rarely be running under 8# the root account. Spend the time to improve the security of the system early 9# rather than trying to retrofit it later (especially in response to an attack). 10# 11# The fields: 12# exe: The name of the process in /proc/PID/comm (Note the 15 char limit). 13# euser: The user the account runs under (e.g. "syslog"). 14# egroup: The group the account runs under (e.g. "syslog"). 15# pidns: Whether the process runs in a unique pid namespace (Yes|No). 16# mntns: Whether the process runs in a unique mount namespace with 17# pivot_root(2) (Yes|No). 18# caps: Whether the process runs with restricted capabilities (Yes|No). 19# nonewprivs: Whether the process runs with no_new_privs set (minijail's -n). 20# filter: Whether the process runs with a seccomp filter (Yes|No). 21# 22# exe,euser,egroup are mandatory checks. All the other fields are opt-in. That 23# is to say, a "No" setting means the check is skipped, while a "Yes" setting 24# enforces the permission setting. 25 26# Since udev creates device nodes and changes owners/perms, it needs to run as 27# root. TODO: We should namespace it. 28udevd,root,root,No,No,No,No,No 29 30# Frecon needs to run as root and in the original namespace because it might 31# launch new shells via login. Would be nice if it integrated things. 32frecon,root,root,No,No,No,No,No 33 34session_manager,root,root,No,No,No,No,No 35rsyslogd,syslog,syslog,No,Yes,Yes,No,No 36systemd-journal,syslog,syslog,No,Yes,Yes,No,No 37dbus-daemon,messagebus,messagebus,No,No,Yes,No,No 38wpa_supplicant,wpa,wpa,No,No,Yes,Yes,No 39shill,shill,shill,No,No,Yes,Yes,No 40chapsd,chaps,chronos-access,No,No,Yes,Yes,No 41cryptohomed,root,root,No,No,No,No,No 42powerd,power,power,No,No,Yes,No,No 43ModemManager,modem,modem,No,No,Yes,Yes,No 44dhcpcd,dhcp,dhcp,No,No,Yes,No,No 45memd,root,root,Yes,Yes,No,Yes,Yes 46metrics_daemon,root,root,No,No,No,No,No 47disks,cros-disks,cros-disks,No,No,Yes,Yes,No 48update_engine,root,root,No,No,No,No,No 49bluetoothd,bluetooth,bluetooth,No,No,Yes,Yes,No 50debugd,root,root,No,Yes,No,No,No 51cras,cras,cras,No,Yes,Yes,Yes,No 52tcsd,tss,root,No,No,Yes,No,No 53cromo,cromo,cromo,No,No,No,No,No 54wimax-manager,root,root,No,No,No,No,No 55mtpd,mtp,mtp,Yes,Yes,Yes,Yes,Yes 56tlsdated,tlsdate,tlsdate,No,No,Yes,No,No 57tlsdated-setter,root,root,No,No,No,Yes,Yes 58lid_touchpad_he,root,root,No,No,No,No,No 59thermal.sh,root,root,No,No,No,No,No 60daisydog,watchdog,watchdog,Yes,Yes,Yes,Yes,No 61permission_brok,devbroker,root,No,No,Yes,Yes,No 62netfilter-queue,nfqueue,nfqueue,No,No,Yes,No,Yes 63anomaly_collect,root,root,No,No,No,No,No 64attestationd,attestation,attestation,No,No,Yes,Yes,Yes 65periodic_schedu,root,root,No,No,No,No,No 66esif_ufd,root,root,No,No,No,No,No 67easy_unlock,easy-unlock,easy-unlock,No,No,No,No,No 68sslh-fork,sslh,sslh,Yes,Yes,Yes,No,Yes 69upstart-socket-,root,root,No,No,No,No,No 70timberslide,root,root,No,No,No,No,No 71firewalld,firewall,firewall,Yes,Yes,Yes,Yes,No 72conntrackd,nfqueue,nfqueue,No,Yes,Yes,Yes,Yes 73avahi-daemon,avahi,avahi,No,No,Yes,No,No 74upstart-udev-br,root,root,No,No,No,No,No 75midis,midis,midis,Yes,Yes,Yes,Yes,Yes 76 77# Biometrics services. 78bio_crypto_init,biod,biod,Yes,Yes,Yes,Yes,Yes 79biod,biod,biod,Yes,Yes,Yes,Yes,Yes 80 81# Chrome OS camera services. 82cros_camera_service,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes 83cros_camera_algo,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes 84 85# ARC-related services running on Chrome OS. 86arc_camera_serv,arc-camera,arc-camera,No,No,Yes,No,No 87arc-networkd,root,root,No,No,No,No,No 88arc-obb-mounter,root,root,Yes,Yes,No,No,No 89arc-oemcrypto,arc-oemcrypto,arc-oemcrypto,Yes,Yes,Yes,Yes,Yes 90 91# Broadcomm Bluetooth firmware patch downloader runs on some veyron boards. 92brcm_patchram_p,root,root,No,No,No,No,No 93 94# tpm_managerd and trunks run on all TPM2 boards, such as reef. 95tpm_managerd,root,root,No,No,No,No,No 96trunksd,trunks,trunks,No,No,Yes,Yes,Yes 97 98# ARC container. 99# root inside the ARC container. 100app_process,android-root,android-root,Yes,Yes,No,No,No 101debuggerd,android-root,android-root,Yes,Yes,No,No,No 102debuggerd:sig,android-root,android-root,Yes,Yes,No,No,No 103healthd,android-root,android-root,Yes,Yes,No,No,No 104vold,android-root,android-root,Yes,Yes,No,No,No 105 106# Non-root inside the ARC container. 107boot_latch,656360,656360,Yes,Yes,Yes,No,No 108bugreportd,657360,656367,Yes,Yes,Yes,No,No 109logd,656396,656396,Yes,Yes,Yes,No,No 110servicemanager,656360,656360,Yes,Yes,Yes,No,No 111surfaceflinger,656360,656363,Yes,Yes,Yes,No,No 112 113# Chrome OS one-off init scripts. 114# These are small setup scripts that don't spawn daemons and are short lived. 115activate_date.s,root,root,No,No,No,No,No 116crx-import.sh,root,root,No,No,No,No,No 117lockbox-cache.s,root,root,No,No,No,No,No 118powerd-pre-star,root,root,No,No,No,No,No 119