lmkd: allow lmkd to lock itself in memory
addresses the following denial:
type=1400 audit(1.871:3): avc: denied { ipc_lock } for pid=1406 comm="lmkd" capability=14 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability
Bug: 16236289
(cherry picked from commit 6a1405d7457dee096a4d25e79844dfe62297943f)
Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466
diff --git a/lmkd.te b/lmkd.te
index b1ffca4..771c780 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -6,6 +6,12 @@
allow lmkd self:capability { dac_override sys_resource kill };
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:capability ipc_lock;
+
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)