Allow persist.device_config.lmkd_native.* to override ro.lmk.*
properties to enable experiments with lmkd configuration properties.
Experiments will be able to set appropriate
persist.device_config.lmkd_native.<name> property which will issue
"lmkd --reinit" command to reinitialize lmkd with new parameters.
Bug: 194316048
Test: adb shell device_config put lmkd_native thrashing_limit_critical 350
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ia48fd51eab126d307a1604530b642e86cf250688
Merged-In: Ia48fd51eab126d307a1604530b642e86cf250688
Add --reinit command-line option to allow updating lmkd properties. For
example to enable debug logging in the running lmkd process user should
issue:
setprop ro.lmk.debug true
lmkd --reinit
Bug: 155149944
Test: lmkd_unit_test after resetting lmkd properties
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ic60331f3368f5a7fdfe09ad7d47c7ccf0a497685
Associate each registered process with the PID of the lmkd client that
registered it to prevent one client from updating records of another
client.
Bug: 129011369
Test: boot and verify native service registration
Change-Id: Id8ca7bb6314df225d04da6469b523d2cdc237eaa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid
and from AID_ROOT to AID_LMKD and AID_SYSTEM gid.
/dev/memcg/memory.pressure defaults to root.root mode 0000, set it up
as root.system mode 0040 to allow lmkd read access.
Instrument failure to set SCHED_FIFO.
Annotate access points that require elevated capabilities.
Test: check /proc/`pidof lmkd`/status for capability set
Test: lmkd_unit_test
Bug: 77650566
Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Suren Baghdasaryan
Mark Salyzyn
Nick Kralevich
Tom Cherry