Allow init to execute extra_free_kbytes.sh script
extra_free_kbytes.sh is used by init to set /sys/vm/watermark_scale_factor
value. Allow init to execute extra_free_kbytes.sh and the script to access
/proc/sys/vm/watermark_scale_factor and /proc/sys/vm/extra_free_kbytes
files.
Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I55ec07e12a1cc5322cfdd4a48d0bdc607f45d832
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 34f37c2..8010071 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
artd_service
camera2_extensions_prop
+ extra_free_kbytes
+ extra_free_kbytes_exec
hal_contexthub_service
hal_system_suspend_service
hal_tv_tuner_service
@@ -17,6 +19,7 @@
tare_service
transformer_service
proc_watermark_boost_factor
+ proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sysfs_vendor_sched
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
new file mode 100644
index 0000000..af3088b
--- /dev/null
+++ b/private/extra_free_kbytes.te
@@ -0,0 +1,3 @@
+typeattribute extra_free_kbytes coredomain;
+
+init_daemon_domain(extra_free_kbytes)
diff --git a/private/file_contexts b/private/file_contexts
index a5dd5a6..5433726 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -222,6 +222,7 @@
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 906dee9..664a3b3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -87,6 +87,7 @@
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te
new file mode 100644
index 0000000..ed0c935
--- /dev/null
+++ b/public/extra_free_kbytes.te
@@ -0,0 +1,13 @@
+# The extra_free_kbytes.sh script run by init.
+type extra_free_kbytes, domain;
+type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index def74af..984b783 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,6 +77,7 @@
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
+type proc_watermark_scale_factor, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;