allow init to communicate with lmkd and lmkd to kill native processes
init should register native services with lmkd so that they can be killed when necessary. Allow init to communicate with lmkd over dedicated socket the same way AMS does. Allow lmkd to kill and manipulate native processes that were registered with lmkd. Bug: 129011369 Test: boot and verify native service registration Test: verify lmkd can kill registered native processes using lmkd_unit_test Change-Id: Idfc814bd08115c548e97f11a6bdb006790cbb4ed Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
parent
426f2e77c0
commit
ee57f177d8
@ -28,6 +28,8 @@ allow init device:file relabelfrom;
|
||||
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
||||
# /dev/socket
|
||||
allow init { device socket_device }:dir relabelto;
|
||||
# allow init to establish connection and communicate with lmkd
|
||||
unix_socket_connect(init, lmkd, lmkd)
|
||||
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
|
||||
allow init { null_device ptmx_device random_device } : chr_file relabelto;
|
||||
# /dev/device-mapper, /dev/block(/.*)?
|
||||
|
@ -10,19 +10,17 @@ allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_r
|
||||
# b/16236289
|
||||
allow lmkd self:global_capability_class_set ipc_lock;
|
||||
|
||||
## Open and write to /proc/PID/oom_score_adj
|
||||
## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
|
||||
## TODO: maybe scope this down?
|
||||
r_dir_file(lmkd, appdomain)
|
||||
allow lmkd appdomain:file write;
|
||||
r_dir_file(lmkd, system_server)
|
||||
allow lmkd system_server:file write;
|
||||
r_dir_file(lmkd, domain)
|
||||
allow lmkd domain:file write;
|
||||
|
||||
## Writes to /sys/module/lowmemorykiller/parameters/minfree
|
||||
r_dir_file(lmkd, sysfs_lowmemorykiller)
|
||||
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
|
||||
|
||||
# setsched and send kill signals
|
||||
allow lmkd appdomain:process { setsched sigkill };
|
||||
# setsched and send kill signals to any registered process
|
||||
allow lmkd domain:process { setsched sigkill };
|
||||
# TODO: delete this line b/131761776
|
||||
allow lmkd kernel:process { setsched };
|
||||
|
||||
@ -69,3 +67,4 @@ unix_socket_send(lmkd, statsdw, statsd)
|
||||
|
||||
# never honor LD_PRELOAD
|
||||
neverallow * lmkd:process noatsecure;
|
||||
neverallow lmkd self:global_capability_class_set sys_ptrace;
|
||||
|
Loading…
Reference in New Issue
Block a user