xref: /aosp_15_r20/system/sepolicy/prebuilts/api/33.0/private/llkd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# llkd Live LocK Daemon
2typeattribute llkd coredomain;
3
4init_daemon_domain(llkd)
5
6get_prop(llkd, llkd_prop)
7
8allow llkd self:global_capability_class_set kill;
9userdebug_or_eng(`
10  allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
11  allow llkd self:global_capability_class_set { dac_override dac_read_search };
12')
13
14# llkd optionally locks itself in memory, to prevent it from being
15# swapped out and unable to discover a kernel in live-lock state.
16allow llkd self:global_capability_class_set ipc_lock;
17
18# Send kill signals to _anyone_ suffering from Live Lock
19allow llkd domain:process sigkill;
20
21# read stack to check for Live Lock
22userdebug_or_eng(`
23  allow llkd {
24    domain
25    -apexd
26    -diced
27    -kernel
28    -keystore
29    -init
30    -llkd
31    -ueventd
32    -vendor_init
33  }:process ptrace;
34')
35
36# live lock watchdog process allowed to look through /proc/
37allow llkd domain:dir r_dir_perms;
38allow llkd domain:file r_file_perms;
39allow llkd domain:lnk_file read;
40# Set /proc/sys/kernel/hung_task_*
41allow llkd proc_hung_task:file rw_file_perms;
42
43# live lock watchdog process allowed to dump process trace and
44# reboot because orderly shutdown may not be possible.
45allow llkd proc_sysrq:file rw_file_perms;
46allow llkd kmsg_device:chr_file w_file_perms;
47
48### neverallow rules
49
50neverallow { domain -init } llkd:process { dyntransition transition };
51neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
52
53# never honor LD_PRELOAD
54neverallow * llkd:process noatsecure;
55