aboutsummaryrefslogtreecommitdiffstats
path: root/lmkd.te
Commit message (Collapse)AuthorAgeFilesLines
* More MLS trusted subject/object annotations.Stephen Smalley2014-09-151-1/+1
| | | | | | | | | | dumpstate and lmkd need to act on apps running at any level. Various file types need to be writable by apps running at any level. Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* lmkd: avoid locking libsigchain into memoryNick Kralevich2014-07-171-0/+5
| | | | | | | | | | | | | | | | https://android-review.googlesource.com/94851 added an LD_PRELOAD line to init.environ.rc.in. This has the effect of loading libsigchain.so into every process' memory space, regardless of whether it wants it or not. For lmkd, it doesn't need libsigchain, so it doesn't make any sense to load it and keep it locked in memory. Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the linker to not honor security sensitive environment variables such as LD_PRELOAD. This prevents libsigchain.so from being loaded into lmkd's memory. Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
* lmkd: allow lmkd to lock itself in memoryNick Kralevich2014-07-161-0/+6
| | | | | | | | | addresses the following denial: type=1400 audit(1.871:3): avc: denied { ipc_lock } for pid=1406 comm="lmkd" capability=14 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability Bug: 16236289 Change-Id: Id9923c16c6db026dd5d28996126f503c5c1d7c87
* lmkd: allow removing cgroups and setting self to SCHED_FIFOColin Cross2014-07-141-0/+6
| | | | | | | | Addresses the following selinux denials: type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0 type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0 Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
* allow lmkd to kill processes.Nick Kralevich2014-03-041-0/+3
| | | | | | | | | | | The previous patch wasn't sufficient. Allow the kill signal. Addresses the following denial: <5>[ 775.819223] type=1400 audit(1393978653.489:18): avc: denied { sigkill } for pid=118 comm="lmkd" scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=process Bug: 13084787 Change-Id: I6af1ed4343b590049809a59e4f2797f6049f12e4
* Give lmkd kill capabilityNick Kralevich2014-02-271-1/+1
| | | | | | | | | | | | | | | | | lmkd needs the capability to kill processes. Addresses the following denial: <5>[12619.064604] type=1400 audit(1393540506.745:2565): avc: denied { kill } for pid=116 comm="lmkd" capability=5 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability Addresses the following errors: 02-27 13:13:50.995 116 116 I lowmemorykiller: Killing 'com.google.android.deskclock' (7133), adj 15 02-27 13:13:50.995 116 116 I lowmemorykiller: to free 33836kB because cache 118512kB is below limit 122880kB for oom_adj 15 02-27 13:13:50.995 116 116 I lowmemorykiller: Free memory is -28472kB below reserved 02-27 13:13:50.995 116 116 E lowmemorykiller: kill(7133): errno=1 Change-Id: I7cca238610307aba9d77aa2e52a32ebd6aec3f3c
* lmkd: add sys_resourceNick Kralevich2014-02-191-1/+1
| | | | | | | | | | Addresses the following denial / error: E/lowmemorykiller( 187): Error writing /proc/1148/oom_adj; errno=13 [ 118.264668] type=1400 audit(947231128.209:140): avc: denied { sys_resource } for pid=187 comm="lmkd" capability=24 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability Change-Id: Ief2a7ead9cdd8a33e3add111ee99f7a29c12a3f2
* Make lmkd enforcing.Nick Kralevich2014-02-141-1/+0
| | | | | | | Start enforcing SELinux rules for lmkd. Security policy violations will return an error instead of being allowed. Change-Id: I2bad2c2094d93ebbcb8ccc4b7f3369419004a3f0
* initial lmkd policy.Nick Kralevich2014-02-131-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Allow writes to /proc/PID/oom_score_adj * Allow writes to /sys/module/lowmemorykiller/* Addresses the following denials: <5>[ 3.825371] type=1400 audit(9781555.430:5): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 48.874747] type=1400 audit(9781600.639:16): avc: denied { search } for pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir <5>[ 48.874889] type=1400 audit(9781600.639:17): avc: denied { dac_override } for pid=176 comm="lmkd" capability=1 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability <5>[ 48.874982] type=1400 audit(9781600.639:18): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 48.875075] type=1400 audit(9781600.639:19): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 49.409231] type=1400 audit(9781601.169:20): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 209.081990] type=1400 audit(9781760.839:24): avc: denied { search } for pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir <5>[ 209.082240] type=1400 audit(9781760.839:25): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.082498] type=1400 audit(9781760.839:26): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.119673] type=1400 audit(9781760.879:27): avc: denied { search } for pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir <5>[ 209.119937] type=1400 audit(9781760.879:28): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.120105] type=1400 audit(9781760.879:29): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.235597] type=1400 audit(9781760.999:30): avc: denied { search } for pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 209.235798] type=1400 audit(9781760.999:31): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 209.236006] type=1400 audit(9781760.999:32): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.297283] type=1400 audit(9781766.059:64): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.297415] type=1400 audit(9781766.059:65): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.355060] type=1400 audit(9781766.119:66): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.355236] type=1400 audit(9781766.119:67): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.516920] type=1400 audit(9781766.279:68): avc: denied { search } for pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir <5>[ 214.678861] type=1400 audit(9781766.439:69): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.678992] type=1400 audit(9781766.439:70): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.708284] type=1400 audit(9781766.469:71): avc: denied { search } for pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 214.708435] type=1400 audit(9781766.469:72): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.708648] type=1400 audit(9781766.469:73): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4
* Make lmkd permissive or unconfined.Stephen Smalley2014-02-111-2/+1
| | | | | | | | | | Otherwise we'll never see denials in userdebug or eng builds and never make progress on confining it. Of course we cannot truly test until it is released into AOSP, but this prepares the way and potentially allows for internal testing and collection of denials. Change-Id: Ic9d1ba872d43f322e39ca6cffa0e725f1e223e7b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move lmkd into it's own domain.Nick Kralevich2013-12-061-0/+7
lmkd low memory killer daemon The kernel low memory killer logic has been moved to a new daemon called lmkd. ActivityManager communicates with this daemon over a named socket. This is just a placeholder policy, starting off in unconfined_domain. Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-06 14:11:02 +0000