1# llkd Live LocK Daemon 2typeattribute llkd coredomain; 3 4init_daemon_domain(llkd) 5 6get_prop(llkd, llkd_prop) 7 8allow llkd self:global_capability_class_set kill; 9userdebug_or_eng(` 10 allow llkd self:global_capability_class_set sys_ptrace; 11 allow llkd self:global_capability_class_set { dac_override dac_read_search }; 12') 13 14# llkd optionally locks itself in memory, to prevent it from being 15# swapped out and unable to discover a kernel in live-lock state. 16allow llkd self:global_capability_class_set ipc_lock; 17 18# Send kill signals to _anyone_ suffering from Live Lock 19allow llkd domain:process sigkill; 20 21# read stack to check for Live Lock 22userdebug_or_eng(` 23 allow llkd { 24 domain 25 -apexd 26 -kernel 27 -keystore 28 -init 29 -llkd 30 -ueventd 31 -vendor_init 32 }:process ptrace; 33') 34 35# live lock watchdog process allowed to look through /proc/ 36allow llkd domain:dir r_dir_perms; 37allow llkd domain:file r_file_perms; 38allow llkd domain:lnk_file read; 39# Set /proc/sys/kernel/hung_task_* 40allow llkd proc_hung_task:file rw_file_perms; 41 42# live lock watchdog process allowed to dump process trace and 43# reboot because orderly shutdown may not be possible. 44allow llkd proc_sysrq:file w_file_perms; 45allow llkd kmsg_device:chr_file w_file_perms; 46 47### neverallow rules 48 49neverallow { domain -init } llkd:process { dyntransition transition }; 50neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace; 51 52# never honor LD_PRELOAD 53neverallow * llkd:process noatsecure; 54