1 # lmkd low memory killer daemon 2 type lmkd, domain, mlstrustedsubject; 3 type lmkd_exec, exec_type, file_type; 4 5 init_daemon_domain(lmkd) 6 7 allow lmkd self:capability { dac_override sys_resource kill }; 8 9 # lmkd locks itself in memory, to prevent it from being 10 # swapped out and unable to kill other memory hogs. 11 # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 12 # b/16236289 13 allow lmkd self:capability ipc_lock; 14 15 ## Open and write to /proc/PID/oom_score_adj 16 ## TODO: maybe scope this down? 17 r_dir_file(lmkd, appdomain) 18 allow lmkd appdomain:file write; 19 r_dir_file(lmkd, system_server) 20 allow lmkd system_server:file write; 21 22 ## Writes to /sys/module/lowmemorykiller/parameters/minfree 23 allow lmkd sysfs_lowmemorykiller:file w_file_perms; 24 25 # Send kill signals 26 allow lmkd appdomain:process sigkill; 27 28 # Clean up old cgroups 29 allow lmkd cgroup:dir { remove_name rmdir }; 30 31 # Set self to SCHED_FIFO 32 allow lmkd self:capability sys_nice; 33 34 ### neverallow rules 35 36 # never honor LD_PRELOAD 37 neverallow domain lmkd:process noatsecure; 38
