Nick Kralevich | 2b392fc | 2013-12-05 16:55:34 -0800 | [diff] [blame] | 1 | # lmkd low memory killer daemon |
Stephen Smalley | cbc5279 | 2014-09-11 15:51:28 -0400 | [diff] [blame] | 2 | type lmkd, domain, mlstrustedsubject; |
Nick Kralevich | 2b392fc | 2013-12-05 16:55:34 -0800 | [diff] [blame] | 3 | type lmkd_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(lmkd) |
Nick Kralevich | 5467fce | 2014-02-13 12:19:50 -0800 | [diff] [blame] | 6 | |
Nick Kralevich | 24be391 | 2014-02-27 15:38:45 -0800 | [diff] [blame] | 7 | allow lmkd self:capability { dac_override sys_resource kill }; |
Nick Kralevich | 5467fce | 2014-02-13 12:19:50 -0800 | [diff] [blame] | 8 | |
Nick Kralevich | 6a1405d | 2014-07-16 11:45:51 -0700 | [diff] [blame] | 9 | # lmkd locks itself in memory, to prevent it from being |
| 10 | # swapped out and unable to kill other memory hogs. |
| 11 | # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 |
| 12 | # b/16236289 |
| 13 | allow lmkd self:capability ipc_lock; |
| 14 | |
Nick Kralevich | 5467fce | 2014-02-13 12:19:50 -0800 | [diff] [blame] | 15 | ## Open and write to /proc/PID/oom_score_adj |
| 16 | ## TODO: maybe scope this down? |
| 17 | r_dir_file(lmkd, appdomain) |
| 18 | allow lmkd appdomain:file write; |
| 19 | r_dir_file(lmkd, system_server) |
| 20 | allow lmkd system_server:file write; |
| 21 | |
| 22 | ## Writes to /sys/module/lowmemorykiller/parameters/minfree |
| 23 | allow lmkd sysfs_lowmemorykiller:file w_file_perms; |
Nick Kralevich | 23a52e6 | 2014-03-04 17:15:13 -0800 | [diff] [blame] | 24 | |
| 25 | # Send kill signals |
| 26 | allow lmkd appdomain:process sigkill; |
Colin Cross | 5329731 | 2014-07-14 17:39:15 -0700 | [diff] [blame] | 27 | |
| 28 | # Clean up old cgroups |
| 29 | allow lmkd cgroup:dir { remove_name rmdir }; |
| 30 | |
| 31 | # Set self to SCHED_FIFO |
| 32 | allow lmkd self:capability sys_nice; |
Nick Kralevich | 8a5b28d | 2014-07-16 18:42:36 -0700 | [diff] [blame] | 33 | |
| 34 | ### neverallow rules |
| 35 | |
| 36 | # never honor LD_PRELOAD |
| 37 | neverallow domain lmkd:process noatsecure; |