1*e4a36f41SAndroid Build Coastguard Worker# llkd Live LocK Daemon 2*e4a36f41SAndroid Build Coastguard Workertypeattribute llkd coredomain; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(llkd) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workerget_prop(llkd, llkd_prop) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Workerallow llkd self:global_capability_class_set kill; 9*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 10*e4a36f41SAndroid Build Coastguard Worker allow llkd self:global_capability_class_set { sys_ptrace sys_admin }; 11*e4a36f41SAndroid Build Coastguard Worker allow llkd self:global_capability_class_set { dac_override dac_read_search }; 12*e4a36f41SAndroid Build Coastguard Worker') 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# llkd optionally locks itself in memory, to prevent it from being 15*e4a36f41SAndroid Build Coastguard Worker# swapped out and unable to discover a kernel in live-lock state. 16*e4a36f41SAndroid Build Coastguard Workerallow llkd self:global_capability_class_set ipc_lock; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# Send kill signals to _anyone_ suffering from Live Lock 19*e4a36f41SAndroid Build Coastguard Workerallow llkd domain:process sigkill; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# read stack to check for Live Lock 22*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 23*e4a36f41SAndroid Build Coastguard Worker allow llkd { 24*e4a36f41SAndroid Build Coastguard Worker domain 25*e4a36f41SAndroid Build Coastguard Worker -apexd 26*e4a36f41SAndroid Build Coastguard Worker -diced 27*e4a36f41SAndroid Build Coastguard Worker -kernel 28*e4a36f41SAndroid Build Coastguard Worker -keystore 29*e4a36f41SAndroid Build Coastguard Worker -init 30*e4a36f41SAndroid Build Coastguard Worker -llkd 31*e4a36f41SAndroid Build Coastguard Worker -ueventd 32*e4a36f41SAndroid Build Coastguard Worker -vendor_init 33*e4a36f41SAndroid Build Coastguard Worker }:process ptrace; 34*e4a36f41SAndroid Build Coastguard Worker') 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# live lock watchdog process allowed to look through /proc/ 37*e4a36f41SAndroid Build Coastguard Workerallow llkd domain:dir r_dir_perms; 38*e4a36f41SAndroid Build Coastguard Workerallow llkd domain:file r_file_perms; 39*e4a36f41SAndroid Build Coastguard Workerallow llkd domain:lnk_file read; 40*e4a36f41SAndroid Build Coastguard Worker# Set /proc/sys/kernel/hung_task_* 41*e4a36f41SAndroid Build Coastguard Workerallow llkd proc_hung_task:file rw_file_perms; 42*e4a36f41SAndroid Build Coastguard Worker 43*e4a36f41SAndroid Build Coastguard Worker# live lock watchdog process allowed to dump process trace and 44*e4a36f41SAndroid Build Coastguard Worker# reboot because orderly shutdown may not be possible. 45*e4a36f41SAndroid Build Coastguard Workerallow llkd proc_sysrq:file rw_file_perms; 46*e4a36f41SAndroid Build Coastguard Workerallow llkd kmsg_device:chr_file w_file_perms; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } llkd:process { dyntransition transition }; 51*e4a36f41SAndroid Build Coastguard Workerneverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace; 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker# never honor LD_PRELOAD 54*e4a36f41SAndroid Build Coastguard Workerneverallow * llkd:process noatsecure; 55