From c8ed855edec0bf11cfcb6a713fd988e6d00dccc9 Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Tue, 24 Jul 2018 17:04:18 -0700
Subject: [PATCH] Selinux: Allow lmkd write access to sys.lmk. properties

Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/compat/28.0/28.0.ignore.cil | 1 +
 private/property_contexts           | 1 +
 public/lmkd.te                      | 3 +++
 public/property.te                  | 2 ++
 6 files changed, 9 insertions(+)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7e04f0765..96b3b078d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -111,6 +111,7 @@
     storaged_data_file
     sysfs_fs_ext4_features
     system_boot_reason_prop
+    system_lmk_prop
     system_net_netd_hwservice
     system_update_service
     test_boot_reason_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 6e4147e5d..2772cd729 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -97,6 +97,7 @@
     statsdw_socket
     storaged_data_file
     system_boot_reason_prop
+    system_lmk_prop
     system_update_service
     test_boot_reason_prop
     time_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index a8f6feca2..91ef8df4a 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -11,6 +11,7 @@
     llkd_tmpfs
     mnt_product_file
     overlayfs_file
+    system_lmk_prop
     time_prop
     timedetector_service
     timezonedetector_service
diff --git a/private/property_contexts b/private/property_contexts
index 37d442754..2726d84a6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -73,6 +73,7 @@ sys.boot.reason         u:object_r:system_boot_reason_prop:s0
 sys.boot.reason.last    u:object_r:last_boot_reason_prop:s0
 pm.                     u:object_r:pm_prop:s0
 test.sys.boot.reason    u:object_r:test_boot_reason_prop:s0
+sys.lmk.                u:object_r:system_lmk_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
diff --git a/public/lmkd.te b/public/lmkd.te
index 472946ece..a82e0a068 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -35,6 +35,9 @@ allow lmkd self:global_capability_class_set sys_nice;
 
 allow lmkd proc_zoneinfo:file r_file_perms;
 
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)
+
 # live lock watchdog process allowed to look through /proc/
 allow lmkd domain:dir { search open read };
 allow lmkd domain:file { open read };
diff --git a/public/property.te b/public/property.te
index d8d01bb9e..7e6c93995 100644
--- a/public/property.te
+++ b/public/property.te
@@ -35,6 +35,7 @@ type fingerprint_prop, property_type, core_property_type;
 type firstboot_prop, property_type;
 type hwservicemanager_prop, property_type;
 type last_boot_reason_prop, property_type;
+type system_lmk_prop, property_type;
 type logd_prop, property_type, core_property_type;
 type logpersistd_logging_prop, property_type;
 type log_prop, property_type, log_property_type;
@@ -381,6 +382,7 @@ compatible_property_only(`
     -firstboot_prop
     -hwservicemanager_prop
     -last_boot_reason_prop
+    -system_lmk_prop
     -log_prop
     -log_tag_prop
     -logd_prop
-- 
GitLab