lmkd: limit capability set to minimum Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid and from AID_ROOT to AID_LMKD and AID_SYSTEM gid. /dev/memcg/memory.pressure defaults to root.root mode 0000, set it up as root.system mode 0040 to allow lmkd read access. Instrument failure to set SCHED_FIFO. Annotate access points that require elevated capabilities. Test: check /proc/`pidof lmkd`/status for capability set Test: lmkd_unit_test Bug: 77650566 Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea

commit: 64d97d87611a39163aa121f17214f4a846954cee [log] [tgz]
author: Mark Salyzyn <salyzyn@google.com> Mon Apr 09 09:50:32 2018 -0700
committer: Mark Salyzyn <salyzyn@google.com> Mon Apr 16 14:51:56 2018 -0700
tree: 2aadfbf34c59d3107bd9030f4f635e8ab1829493
parent: 22dc27b9fa46b20aca4f5982979681a858a97284 [diff]
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 1462570..4f008ac 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -34,6 +34,9 @@
     # root memory control cgroup, used by lmkd
     mkdir /dev/memcg 0700 root system
     mount cgroup none /dev/memcg nodev noexec nosuid memory
+    # memory.pressure_level used by lmkd
+    chown root system /dev/memcg/memory.pressure_level
+    chmod 0040 /dev/memcg/memory.pressure_level
     # app mem cgroups, used by activity manager, lmkd and zygote
     mkdir /dev/memcg/apps/ 0755 system system
     # cgroup for system_server and surfaceflinger
commit	64d97d87611a39163aa121f17214f4a846954cee	[log] [tgz]
author	Mark Salyzyn <salyzyn@google.com>	Mon Apr 09 09:50:32 2018 -0700
committer	Mark Salyzyn <salyzyn@google.com>	Mon Apr 16 14:51:56 2018 -0700
tree	2aadfbf34c59d3107bd9030f4f635e8ab1829493
parent	22dc27b9fa46b20aca4f5982979681a858a97284 [diff]