Merge "SELinux policy for rss_hwm_reset"

private/compat/28.0/28.0.ignore.cil

@@ -64,6 +64,8 @@
     overlayfs_file
     recovery_socket
     role_service
+    rss_hwm_reset
+    rss_hwm_reset_exec
     runtime_service
     super_block_device
     system_lmk_prop

private/file_contexts

@@ -251,6 +251,7 @@
 /system/bin/usbd   u:object_r:usbd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0

private/rss_hwm_reset.te

@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;

public/domain.te

@@ -1354,6 +1354,7 @@ define(`dac_override_allowed', `{
   perfprofd
   postinstall_dexopt
   recovery
+  rss_hwm_reset
   sdcardd
   tee
   ueventd

public/rss_hwm_reset.te

@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;