private/llkd.te

# llkd Live LocK Daemon
typeattribute llkd coredomain;

init_daemon_domain(llkd)

get_prop(llkd, llkd_prop)

allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
  allow llkd self:global_capability_class_set sys_ptrace;
  allow llkd self:global_capability_class_set dac_override;
')

# llkd optionally locks itself in memory, to prevent it from being
# swapped out and unable to discover a kernel in live-lock state.
allow llkd self:global_capability_class_set ipc_lock;

# Send kill signals to _anyone_ suffering from Live Lock
allow llkd domain:process sigkill;

# read stack to check for Live Lock
userdebug_or_eng(`
  allow llkd {
    domain
    -kernel
    -keystore
    -init
    -llkd
    -ueventd
    -vendor_init
  }:process ptrace;
')

# live lock watchdog process allowed to look through /proc/
allow llkd domain:dir r_dir_perms;
allow llkd domain:file r_file_perms;
allow llkd domain:lnk_file read;
# Set /proc/sys/kernel/hung_task_*
allow llkd proc_hung_task:file rw_file_perms;

# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow llkd proc_sysrq:file w_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;

### neverallow rules

neverallow { domain -init } llkd:process { dyntransition transition };
neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;

# never honor LD_PRELOAD
neverallow * llkd:process noatsecure;