From 6a1405d7457dee096a4d25e79844dfe62297943f Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Jul 2014 11:45:51 -0700
Subject: [PATCH] lmkd: allow lmkd to lock itself in memory

addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289
Change-Id: Id9923c16c6db026dd5d28996126f503c5c1d7c87
---
 lmkd.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lmkd.te b/lmkd.te
index b1ffca41a..771c7805e 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -6,6 +6,12 @@ init_daemon_domain(lmkd)
 
 allow lmkd self:capability { dac_override sys_resource kill };
 
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:capability ipc_lock;
+
 ## Open and write to /proc/PID/oom_score_adj
 ## TODO: maybe scope this down?
 r_dir_file(lmkd, appdomain)