llkd: Add stack symbol checking

llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126

private/compat/26.0/26.0.ignore.cil

@@ -76,10 +76,11 @@
     incident_helper
     incident_helper_exec
     kmsg_debug_device
+    last_boot_reason_prop
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
-    last_boot_reason_prop
     lowpan_device
     lowpan_prop
     lowpan_service

private/compat/27.0/27.0.ignore.cil

@@ -69,6 +69,7 @@
     last_boot_reason_prop
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
     lowpan_device
     lowpan_prop

private/compat/28.0/28.0.ignore.cil

@@ -14,6 +14,7 @@
     hal_system_suspend_default_tmpfs
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
     mnt_product_file
     overlayfs_file

private/crash_dump.te

@@ -7,17 +7,23 @@ allow crash_dump {
   -init
   -kernel
   -keystore
+  -llkd
   -logd
   -ueventd
   -vendor_init
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };
+userdebug_or_eng(`
+  allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+')
 
 neverallow crash_dump {
   bpfloader
   init
   kernel
   keystore
+  llkd
+  userdebug_or_eng(`-llkd')
   logd
   userdebug_or_eng(`-logd')
   ueventd

private/domain.te

@@ -8,6 +8,7 @@ allow domain crash_dump:process sigchld;
 neverallow {
   domain
   -vold
+  userdebug_or_eng(`-llkd')
   -dumpstate
   userdebug_or_eng(`-incidentd')
   -storaged

private/llkd.te

@@ -3,7 +3,13 @@ typeattribute llkd coredomain;
 
 init_daemon_domain(llkd)
 
+get_prop(llkd, llkd_prop)
+
 allow llkd self:global_capability_class_set kill;
+userdebug_or_eng(`
+  allow llkd self:global_capability_class_set sys_ptrace;
+  allow llkd self:global_capability_class_set dac_override;
+')
 
 # llkd optionally locks itself in memory, to prevent it from being
 # swapped out and unable to discover a kernel in live-lock state.
@@ -12,6 +18,16 @@ allow llkd self:global_capability_class_set ipc_lock;
 # Send kill signals to _anyone_ suffering from Live Lock
 allow llkd domain:process sigkill;
 
+# read stack to check for Live Lock
+userdebug_or_eng(`
+  allow llkd {
+    domain
+    -keystore
+    -init
+    -llkd
+  }:process ptrace;
+')
+
 # live lock watchdog process allowed to look through /proc/
 allow llkd domain:dir r_dir_perms;
 allow llkd domain:file r_file_perms;
@@ -27,6 +43,7 @@ allow llkd kmsg_device:chr_file w_file_perms;
 ### neverallow rules
 
 neverallow { domain -init } llkd:process { dyntransition transition };
+neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
 
 # never honor LD_PRELOAD
 neverallow * llkd:process noatsecure;

private/property_contexts

@@ -34,6 +34,10 @@ debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
 dumpstate.options       u:object_r:dumpstate_options_prop:s0
+llk.                    u:object_r:llkd_prop:s0
+khungtask.              u:object_r:llkd_prop:s0
+ro.llk.                 u:object_r:llkd_prop:s0
+ro.khungtask.           u:object_r:llkd_prop:s0
 log.                    u:object_r:log_prop:s0
 log.tag                 u:object_r:log_tag_prop:s0
 log.tag.WifiHAL         u:object_r:wifi_log_prop:s0

public/app.te

@@ -412,9 +412,15 @@ neverallow appdomain { domain -appdomain }:process ptrace;
 # of application data and execution state. Ptrace bypasses those
 # confidentiality guarantees. Disallow ptrace access from system components
 # to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
+# produce stack traces.  llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
 
-neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+neverallow {
+  domain
+  -appdomain
+  -crash_dump
+  userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
 
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections

public/domain.te

@@ -1382,6 +1382,7 @@ neverallow {
   -init
   -installd
   -install_recovery
+  userdebug_or_eng(`-llkd')
   -lmkd
   -netd
   -perfprofd

public/logd.te

@@ -52,7 +52,7 @@ neverallow logd dev_type:blk_file { read write };
 neverallow logd domain:process ptrace;
 
 # ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
 
 # Write to /system.
 neverallow logd system_file:dir_file_class_set write;

public/property.te

@@ -36,6 +36,7 @@ type firstboot_prop, property_type;
 type hwservicemanager_prop, property_type;
 type last_boot_reason_prop, property_type;
 type system_lmk_prop, property_type;
+type llkd_prop, property_type;
 type logd_prop, property_type, core_property_type;
 type logpersistd_logging_prop, property_type;
 type log_prop, property_type, log_property_type;

public/te_macros

@@ -182,8 +182,9 @@ neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
 # of application data and execution state. Ptrace bypasses those
 # confidentiality guarantees. Disallow ptrace access from system components
 # to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
-neverallow { domain -$1 -crash_dump } $1:process ptrace;
+# produce stack traces.  llkd is excluded, as it needs to inspect
+# the kernel stack for live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
 ')
 
 #####################################