Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/fp2-sibon-17.12.1 / . / lmkd.te
blob: 3243ddb5f31937f589d0df6d10872456880c542f [file] [log] [blame]
Nick Kralevich2b392fc2013-12-05 16:55:34 -0800[diff] [blame]1# lmkd low memory killer daemon
Stephen Smalleycbc52792014-09-11 15:51:28 -0400[diff] [blame]2type lmkd, domain, mlstrustedsubject;
Nick Kralevich2b392fc2013-12-05 16:55:34 -0800[diff] [blame]3type lmkd_exec, exec_type, file_type;
4
5init_daemon_domain(lmkd)
Nick Kralevich5467fce2014-02-13 12:19:50 -0800[diff] [blame]6
Nick Kralevich24be3912014-02-27 15:38:45 -0800[diff] [blame]7allow lmkd self:capability { dac_override sys_resource kill };
Nick Kralevich5467fce2014-02-13 12:19:50 -0800[diff] [blame]8
Nick Kralevich6a1405d2014-07-16 11:45:51 -0700[diff] [blame]9# lmkd locks itself in memory, to prevent it from being
10# swapped out and unable to kill other memory hogs.
11# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
12# b/16236289
13allow lmkd self:capability ipc_lock;
14
Nick Kralevich5467fce2014-02-13 12:19:50 -0800[diff] [blame]15## Open and write to /proc/PID/oom_score_adj
16## TODO: maybe scope this down?
17r_dir_file(lmkd, appdomain)
18allow lmkd appdomain:file write;
19r_dir_file(lmkd, system_server)
20allow lmkd system_server:file write;
21
22## Writes to /sys/module/lowmemorykiller/parameters/minfree
23allow lmkd sysfs_lowmemorykiller:file w_file_perms;
Nick Kralevich23a52e62014-03-04 17:15:13 -0800[diff] [blame]24
25# Send kill signals
26allow lmkd appdomain:process sigkill;
Colin Cross53297312014-07-14 17:39:15 -0700[diff] [blame]27
28# Clean up old cgroups
29allow lmkd cgroup:dir { remove_name rmdir };
30
31# Set self to SCHED_FIFO
32allow lmkd self:capability sys_nice;
Nick Kralevich8a5b28d2014-07-16 18:42:36 -0700[diff] [blame]33
34### neverallow rules
35
36# never honor LD_PRELOAD
37neverallow domain lmkd:process noatsecure;