From 4e1c5764b532d392ef0fe66a85860f046763df9c Mon Sep 17 00:00:00 2001
From: Rafal Slawik <rslawik@google.com>
Date: Thu, 15 Nov 2018 13:04:13 +0000
Subject: [PATCH] SELinux policy for rss_hwm_reset

rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.

Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29
---
 private/compat/28.0/28.0.ignore.cil |  2 ++
 private/file_contexts               |  1 +
 private/rss_hwm_reset.te            | 14 ++++++++++++++
 public/domain.te                    |  1 +
 public/rss_hwm_reset.te             |  2 ++
 5 files changed, 20 insertions(+)
 create mode 100644 private/rss_hwm_reset.te
 create mode 100644 public/rss_hwm_reset.te

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 461b53e03..d0c81e4ff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -64,6 +64,8 @@
     overlayfs_file
     recovery_socket
     role_service
+    rss_hwm_reset
+    rss_hwm_reset_exec
     runtime_service
     super_block_device
     system_lmk_prop
diff --git a/private/file_contexts b/private/file_contexts
index fac31a087..0d0835d28 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -251,6 +251,7 @@
 /system/bin/usbd   u:object_r:usbd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
diff --git a/private/rss_hwm_reset.te b/private/rss_hwm_reset.te
new file mode 100644
index 000000000..30818c2fa
--- /dev/null
+++ b/private/rss_hwm_reset.te
@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index d0e4e41fe..ab6610f14 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1354,6 +1354,7 @@ define(`dac_override_allowed', `{
   perfprofd
   postinstall_dexopt
   recovery
+  rss_hwm_reset
   sdcardd
   tee
   ueventd
diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te
new file mode 100644
index 000000000..163e1acde
--- /dev/null
+++ b/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
-- 
GitLab