lmkd.te

# lmkd low memory killer daemon
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;

init_daemon_domain(lmkd)

allow lmkd self:capability { dac_override sys_resource kill };

# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
allow lmkd self:capability ipc_lock;

## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;

## Writes to /sys/module/lowmemorykiller/parameters/minfree
allow lmkd sysfs_lowmemorykiller:file w_file_perms;

# Send kill signals
allow lmkd appdomain:process sigkill;

# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };

# Set self to SCHED_FIFO
allow lmkd self:capability sys_nice;

### neverallow rules

# never honor LD_PRELOAD
neverallow domain lmkd:process noatsecure;