1 exe,euser,egroup,pidns,mntns,caps,nonewprivs,filter 2 3 # This is a comma separated file listing services that run on the device and the 4 # expected security features that are enabled for it. 5 # 6 # Note: If you add a new service and it's being rejected because it's running as 7 # root, do not just whitelist it here. Services should rarely be running under 8 # the root account. Spend the time to improve the security of the system early 9 # rather than trying to retrofit it later (especially in response to an attack). 10 # 11 # The fields: 12 # exe: The name of the process in /proc/PID/comm (Note the 15 char limit). 13 # euser: The user the account runs under (e.g. "syslog"). 14 # egroup: The group the account runs under (e.g. "syslog"). 15 # pidns: Whether the process runs in a unique pid namespace (Yes|No). 16 # mntns: Whether the process runs in a unique mount namespace with 17 # pivot_root(2) (Yes|No). 18 # caps: Whether the process runs with restricted capabilities (Yes|No). 19 # nonewprivs: Whether the process runs with no_new_privs set (minijail's -n). 20 # filter: Whether the process runs with a seccomp filter (Yes|No). 21 # 22 # exe,euser,egroup are mandatory checks. All the other fields are opt-in. That 23 # is to say, a "No" setting means the check is skipped, while a "Yes" setting 24 # enforces the permission setting. 25 26 # Since udev creates device nodes and changes owners/perms, it needs to run as 27 # root. TODO: We should namespace it. 28 udevd,root,root,No,No,No,No,No 29 30 # Frecon needs to run as root and in the original namespace because it might 31 # launch new shells via login. Would be nice if it integrated things. 32 frecon,root,root,No,No,No,No,No 33 34 session_manager,root,root,No,No,No,No,No 35 rsyslogd,syslog,syslog,No,Yes,Yes,No,No 36 systemd-journal,syslog,syslog,No,Yes,Yes,No,No 37 dbus-daemon,messagebus,messagebus,No,No,Yes,No,No 38 wpa_supplicant,wpa,wpa,No,No,Yes,Yes,No 39 shill,shill,shill,No,No,Yes,Yes,No 40 chapsd,chaps,chronos-access,No,No,Yes,Yes,No 41 cryptohomed,root,root,No,No,No,No,No 42 powerd,power,power,No,No,Yes,No,No 43 ModemManager,modem,modem,No,No,Yes,Yes,No 44 dhcpcd,dhcp,dhcp,No,No,Yes,No,No 45 memd,root,root,Yes,Yes,No,Yes,Yes 46 metrics_daemon,root,root,No,No,No,No,No 47 disks,cros-disks,cros-disks,No,No,Yes,Yes,No 48 update_engine,root,root,No,No,No,No,No 49 bluetoothd,bluetooth,bluetooth,No,No,Yes,Yes,No 50 debugd,root,root,No,Yes,No,No,No 51 cras,cras,cras,No,Yes,Yes,Yes,No 52 tcsd,tss,root,No,No,Yes,No,No 53 cromo,cromo,cromo,No,No,No,No,No 54 wimax-manager,root,root,No,No,No,No,No 55 mtpd,mtp,mtp,Yes,Yes,Yes,Yes,Yes 56 tlsdated,tlsdate,tlsdate,No,No,Yes,No,No 57 tlsdated-setter,root,root,No,No,No,Yes,Yes 58 lid_touchpad_he,root,root,No,No,No,No,No 59 thermal.sh,root,root,No,No,No,No,No 60 daisydog,watchdog,watchdog,Yes,Yes,Yes,Yes,No 61 permission_brok,devbroker,root,No,No,Yes,Yes,No 62 netfilter-queue,nfqueue,nfqueue,No,No,Yes,No,Yes 63 anomaly_collect,root,root,No,No,No,No,No 64 attestationd,attestation,attestation,No,No,Yes,Yes,Yes 65 periodic_schedu,root,root,No,No,No,No,No 66 esif_ufd,root,root,No,No,No,No,No 67 easy_unlock,easy-unlock,easy-unlock,No,No,No,No,No 68 sslh-fork,sslh,sslh,Yes,Yes,Yes,No,Yes 69 upstart-socket-,root,root,No,No,No,No,No 70 timberslide,root,root,No,No,No,No,No 71 firewalld,firewall,firewall,Yes,Yes,Yes,Yes,No 72 conntrackd,nfqueue,nfqueue,No,Yes,Yes,Yes,Yes 73 avahi-daemon,avahi,avahi,No,No,Yes,No,No 74 upstart-udev-br,root,root,No,No,No,No,No 75 midis,midis,midis,Yes,Yes,Yes,Yes,Yes 76 77 # Biometrics services. 78 bio_crypto_init,biod,biod,Yes,Yes,Yes,Yes,Yes 79 biod,biod,biod,Yes,Yes,Yes,Yes,Yes 80 81 # Chrome OS camera services. 82 cros_camera_service,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes 83 cros_camera_algo,arc-camera,arc-camera,Yes,Yes,Yes,Yes,Yes 84 85 # ARC-related services running on Chrome OS. 86 arc_camera_serv,arc-camera,arc-camera,No,No,Yes,No,No 87 arc-networkd,root,root,No,No,No,No,No 88 arc-obb-mounter,root,root,Yes,Yes,No,No,No 89 arc-oemcrypto,arc-oemcrypto,arc-oemcrypto,Yes,Yes,Yes,Yes,Yes 90 91 # Broadcomm Bluetooth firmware patch downloader runs on some veyron boards. 92 brcm_patchram_p,root,root,No,No,No,No,No 93 94 # tpm_managerd and trunks run on all TPM2 boards, such as reef. 95 tpm_managerd,root,root,No,No,No,No,No 96 trunksd,trunks,trunks,No,No,Yes,Yes,Yes 97 98 # ARC container. 99 # root inside the ARC container. 100 app_process,android-root,android-root,Yes,Yes,No,No,No 101 debuggerd,android-root,android-root,Yes,Yes,No,No,No 102 debuggerd:sig,android-root,android-root,Yes,Yes,No,No,No 103 healthd,android-root,android-root,Yes,Yes,No,No,No 104 vold,android-root,android-root,Yes,Yes,No,No,No 105 106 # Non-root inside the ARC container. 107 boot_latch,656360,656360,Yes,Yes,Yes,No,No 108 bugreportd,657360,656367,Yes,Yes,Yes,No,No 109 logd,656396,656396,Yes,Yes,Yes,No,No 110 servicemanager,656360,656360,Yes,Yes,Yes,No,No 111 surfaceflinger,656360,656363,Yes,Yes,Yes,No,No 112 113 # Chrome OS one-off init scripts. 114 # These are small setup scripts that don't spawn daemons and are short lived. 115 activate_date.s,root,root,No,No,No,No,No 116 crx-import.sh,root,root,No,No,No,No,No 117 lockbox-cache.s,root,root,No,No,No,No,No 118 powerd-pre-star,root,root,No,No,No,No,No 119
