1 # lmkd low memory killer daemon 2 type lmkd, domain, mlstrustedsubject; 3 type lmkd_exec, exec_type, file_type; 4 5 allow lmkd self:capability { dac_override sys_resource kill }; 6 7 # lmkd locks itself in memory, to prevent it from being 8 # swapped out and unable to kill other memory hogs. 9 # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 10 # b/16236289 11 allow lmkd self:capability ipc_lock; 12 13 ## Open and write to /proc/PID/oom_score_adj 14 ## TODO: maybe scope this down? 15 r_dir_file(lmkd, appdomain) 16 allow lmkd appdomain:file write; 17 r_dir_file(lmkd, system_server) 18 allow lmkd system_server:file write; 19 20 ## Writes to /sys/module/lowmemorykiller/parameters/minfree 21 r_dir_file(lmkd, sysfs_type) 22 allow lmkd sysfs_lowmemorykiller:file w_file_perms; 23 24 # Send kill signals 25 allow lmkd appdomain:process sigkill; 26 27 # Clean up old cgroups 28 allow lmkd cgroup:dir { remove_name rmdir }; 29 30 # Set self to SCHED_FIFO 31 allow lmkd self:capability sys_nice; 32 33 allow lmkd proc_zoneinfo:file r_file_perms; 34 35 ### neverallow rules 36 37 # never honor LD_PRELOAD 38 neverallow * lmkd:process noatsecure; 39
