lmkd: limit capability set to minimum Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid and from AID_ROOT to AID_LMKD and AID_SYSTEM gid. /dev/memcg/memory.pressure defaults to root.root mode 0000, set it up as root.system mode 0040 to allow lmkd read access. Instrument failure to set SCHED_FIFO. Annotate access points that require elevated capabilities. Test: check /proc/`pidof lmkd`/status for capability set Test: lmkd_unit_test Bug: 77650566 Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea

commit: 64d97d87611a39163aa121f17214f4a846954cee [log] [tgz]
author: Mark Salyzyn <salyzyn@google.com> Mon Apr 09 09:50:32 2018 -0700
committer: Mark Salyzyn <salyzyn@google.com> Mon Apr 16 14:51:56 2018 -0700
tree: 2aadfbf34c59d3107bd9030f4f635e8ab1829493
parent: 22dc27b9fa46b20aca4f5982979681a858a97284 [diff] [blame]
diff --git a/lmkd/lmkd.rc b/lmkd/lmkd.rc
index 3bb84ab..76b6055 100644
--- a/lmkd/lmkd.rc
+++ b/lmkd/lmkd.rc

@@ -1,6 +1,8 @@
 service lmkd /system/bin/lmkd
     class core
-    group root readproc
+    user lmkd
+    group lmkd system readproc
+    capabilities DAC_OVERRIDE KILL IPC_LOCK SYS_NICE SYS_RESOURCE
     critical
     socket lmkd seqpacket 0660 system system
     writepid /dev/cpuset/system-background/tasks
commit	64d97d87611a39163aa121f17214f4a846954cee	[log] [tgz]
author	Mark Salyzyn <salyzyn@google.com>	Mon Apr 09 09:50:32 2018 -0700
committer	Mark Salyzyn <salyzyn@google.com>	Mon Apr 16 14:51:56 2018 -0700
tree	2aadfbf34c59d3107bd9030f4f635e8ab1829493
parent	22dc27b9fa46b20aca4f5982979681a858a97284 [diff] [blame]