Home | History | Annotate | Download | only in public 
      1 # lmkd low memory killer daemon
      2 type lmkd, domain, mlstrustedsubject;
      3 type lmkd_exec, exec_type, file_type;
      4 
      5 allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
      6 
      7 # lmkd locks itself in memory, to prevent it from being
      8 # swapped out and unable to kill other memory hogs.
      9 # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
     10 # b/16236289
     11 allow lmkd self:global_capability_class_set ipc_lock;
     12 
     13 ## Open and write to /proc/PID/oom_score_adj
     14 ## TODO: maybe scope this down?
     15 r_dir_file(lmkd, appdomain)
     16 allow lmkd appdomain:file write;
     17 r_dir_file(lmkd, system_server)
     18 allow lmkd system_server:file write;
     19 
     20 ## Writes to /sys/module/lowmemorykiller/parameters/minfree
     21 r_dir_file(lmkd, sysfs_lowmemorykiller)
     22 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
     23 
     24 # Send kill signals
     25 allow lmkd appdomain:process sigkill;
     26 
     27 # Clean up old cgroups
     28 allow lmkd cgroup:dir { remove_name rmdir };
     29 
     30 # Allow to read memcg stats
     31 allow lmkd cgroup:file r_file_perms;
     32 
     33 # Set self to SCHED_FIFO
     34 allow lmkd self:global_capability_class_set sys_nice;
     35 
     36 allow lmkd proc_zoneinfo:file r_file_perms;
     37 
     38 # live lock watchdog process allowed to look through /proc/
     39 allow lmkd domain:dir { search open read };
     40 allow lmkd domain:file { open read };
     41 
     42 # live lock watchdog process allowed to dump process trace and
     43 # reboot because orderly shutdown may not be possible.
     44 allow lmkd proc_sysrq:file rw_file_perms;
     45 
     46 # Read /proc/meminfo
     47 allow lmkd proc_meminfo:file r_file_perms;
     48 
     49 ### neverallow rules
     50 
     51 # never honor LD_PRELOAD
     52 neverallow * lmkd:process noatsecure;
     53