llkd: add live-lock daemon am: e4b3e0b6

am: 2ab61922 Change-Id: I3d441fd18d91680d8a5bf0732472c2f470076e02

llkd: add live-lock daemon am: e4b3e0b6
am: 2ab61922 Change-Id: I3d441fd18d91680d8a5bf0732472c2f470076e02
a60f4103 · Mark Salyzyn · android-build-merger · 60d7b2ff · 2ab61922 · a60f4103
Commit a60f4103 authored 6 years ago by Mark Salyzyn Committed by android-build-merger 6 years ago
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -63,6 +63,9 @@
    incident_helper
    incident_helper_exec
    kmsg_debug_device
+    llkd
+    llkd_exec
+    llkd_tmpfs
    last_boot_reason_prop
    lowpan_device
    lowpan_prop

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,9 @@
    incident_helper
    incident_helper_exec
    last_boot_reason_prop
+    llkd
+    llkd_exec
+    llkd_tmpfs
    lowpan_device
    lowpan_prop
    lowpan_service

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,6 +247,7 @@
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
+/system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -38,7 +38,7 @@ genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0

--- a/private/llkd.te
+++ b/private/llkd.te
+# llkd Live LocK Daemon
+typeattribute llkd coredomain;
+init_daemon_domain(llkd)
+allow llkd self:global_capability_class_set kill;
+# llkd optionally locks itself in memory, to prevent it from being
+# swapped out and unable to discover a kernel in live-lock state.
+allow llkd self:global_capability_class_set ipc_lock;
+# Send kill signals to _anyone_ suffering from Live Lock
+allow llkd domain:process sigkill;
+# live lock watchdog process allowed to look through /proc/
+allow llkd domain:dir r_dir_perms;
+allow llkd domain:file r_file_perms;
+allow llkd domain:lnk_file read;
+# Set /proc/sys/kernel/hung_task_*
+allow llkd proc_hung_task:file rw_file_perms;
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow llkd proc_sysrq:file w_file_perms;
+allow llkd kmsg_device:chr_file w_file_perms;
+### neverallow rules
+neverallow { domain -init } llkd:process { dyntransition transition };
+# never honor LD_PRELOAD
+neverallow * llkd:process noatsecure;
--- a/public/llkd.te
+++ b/public/llkd.te
+# llkd Live LocK Daemon
+type llkd, domain, mlstrustedsubject;
+type llkd_exec, exec_type, file_type;