llkd: Skip apexd for process checks

apexd is a sensitive daemon, and the ability to ptrace this domain is
restricted by SELinux policy.  apexd spawns a binder thread which
makes matching difficult, as we would instead need to use
/system/bin/apexd as the blacklist key.

Change llkd to also check for a match on the basename of the
executable path.  This will solve a gotcha expectation when creating
a blacklist key.

Without this change, llkd continues to generate SELinux denials of

type=1400 audit(0.0:1764): avc: denied { ptrace } for comm="llkd" scontext=u:r:llkd:s0 tcontext=u:r:apexd:s0 tclass=process permissive=0

Commit 5390b9add4e567eeeeeabc3d39d588c21cb5d543 was originally intended
to fix these denials, but it seems to have had no effect and the denials
are still being generated.  This change will fix it.

Test: none
Change-Id: I00aa10dfff30c65a120ad30582b820e2d4b1bb38

2 files changed, 10 insertions, 4 deletions

diff --git a/llkd/include/llkd.h b/llkd/include/llkd.h
index 4d39dd917..2c62fca94 100644
--- a/llkd/include/llkd.h
+++ b/llkd/include/llkd.h
@@ -51,13 +51,13 @@ unsigned llkCheckMilliseconds(void);
 #define LLK_CHECK_STACK_DEFAULT        "cma_alloc,__get_user_pages"
 #define LLK_BLACKLIST_PROCESS_PROPERTY "ro.llk.blacklist.process"
 #define LLK_BLACKLIST_PROCESS_DEFAULT  \
-    "0,1,2,init,[kthreadd],[khungtaskd],lmkd,lmkd.llkd,llkd,watchdogd,[watchdogd],[watchdogd/0]"
+    "0,1,2,init,[kthreadd],[khungtaskd],lmkd,llkd,watchdogd,[watchdogd],[watchdogd/0]"
 #define LLK_BLACKLIST_PARENT_PROPERTY  "ro.llk.blacklist.parent"
 #define LLK_BLACKLIST_PARENT_DEFAULT   "0,2,[kthreadd]"
 #define LLK_BLACKLIST_UID_PROPERTY     "ro.llk.blacklist.uid"
 #define LLK_BLACKLIST_UID_DEFAULT      ""
 #define LLK_BLACKLIST_STACK_PROPERTY   "ro.llk.blacklist.process.stack"
-#define LLK_BLACKLIST_STACK_DEFAULT    "init,lmkd.llkd,llkd,keystore,/system/bin/keystore,ueventd,apexd"
+#define LLK_BLACKLIST_STACK_DEFAULT    "init,lmkd.llkd,llkd,keystore,ueventd,apexd"
 /* clang-format on */
 
 __END_DECLS
diff --git a/llkd/libllkd.cpp b/llkd/libllkd.cpp
index 6840ed09b..2727aab94 100644
--- a/llkd/libllkd.cpp
+++ b/llkd/libllkd.cpp
@@ -712,6 +712,7 @@ bool llkCheckStack(proc* procp, const std::string& piddir) {
     if (llkSkipName(std::to_string(procp->pid), llkBlacklistStack)) return false;
     if (llkSkipName(procp->getComm(), llkBlacklistStack)) return false;
     if (llkSkipName(procp->getCmdline(), llkBlacklistStack)) return false;
+    if (llkSkipName(android::base::Basename(procp->getCmdline()), llkBlacklistStack)) return false;
 
     auto kernel_stack = ReadFile(piddir + "/stack");
     if (kernel_stack.empty()) {
@@ -995,13 +996,18 @@ milliseconds llkCheck(bool checkRunning) {
             if (llkSkipName(procp->getCmdline())) {
                 break;
             }
+            if (llkSkipName(android::base::Basename(procp->getCmdline()))) {
+                break;
+            }
 
             auto pprocp = llkTidLookup(ppid);
             if (pprocp == nullptr) {
                 pprocp = llkTidAlloc(ppid, ppid, 0, "", 0, '?');
             }
-            if ((pprocp != nullptr) && (llkSkipName(pprocp->getComm(), llkBlacklistParent) ||
-                                        llkSkipName(pprocp->getCmdline(), llkBlacklistParent))) {
+            if ((pprocp != nullptr) &&
+                (llkSkipName(pprocp->getComm(), llkBlacklistParent) ||
+                 llkSkipName(pprocp->getCmdline(), llkBlacklistParent) ||
+                 llkSkipName(android::base::Basename(pprocp->getCmdline()), llkBlacklistParent))) {
                 break;
             }