Daemon to monitor memory pressure and notify applications and change … (#670)

* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed the self dgram access to create_socket_perms

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

4 files changed, 71 insertions, 0 deletions

diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te
index 8dc747a6..33148587 100644
--- a/policy/modules/services/geoclue.te
+++ b/policy/modules/services/geoclue.te
@@ -40,6 +40,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	low_mem_mon_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
 	networkmanager_dbus_chat(geoclue_t)
 ')
 
diff --git a/policy/modules/services/lowmemorymonitor.fc b/policy/modules/services/lowmemorymonitor.fc
new file mode 100644
index 00000000..4b2c711a
--- /dev/null
+++ b/policy/modules/services/lowmemorymonitor.fc
@@ -0,0 +1 @@
+/usr/libexec/low-memory-monitor	--	gen_context(system_u:object_r:low_mem_mon_exec_t,s0)
diff --git a/policy/modules/services/lowmemorymonitor.if b/policy/modules/services/lowmemorymonitor.if
new file mode 100644
index 00000000..83e06371
--- /dev/null
+++ b/policy/modules/services/lowmemorymonitor.if
@@ -0,0 +1,30 @@
+## <summary>low memory monitor daemon</summary>
+##
+## <desc>
+## The Low Memory Monitor is an early boot daemon that will monitor memory
+## pressure information coming from the kernel, and, first, send a signal
+## to user-space applications when memory is running low, and then optionally
+## activate the kernel's OOM killer when memory is running really low.
+## https://gitlab.freedesktop.org/hadess/low-memory-monitor
+## </desc>
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      low_mem_mon_t over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`low_mem_mon_dbus_chat',`
+	gen_require(`
+		type low_mem_mon_t;
+		class dbus send_msg;
+	')
+
+	allow $1 low_mem_mon_t:dbus send_msg;
+	allow low_mem_mon_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/lowmemorymonitor.te b/policy/modules/services/lowmemorymonitor.te
new file mode 100644
index 00000000..7f086c1e
--- /dev/null
+++ b/policy/modules/services/lowmemorymonitor.te
@@ -0,0 +1,36 @@
+policy_module(lowmemorymonitor)
+
+# daemon to monitor low memory and control kernel OOM
+
+########################################
+#
+# Declarations
+#
+
+type low_mem_mon_t;
+type low_mem_mon_exec_t;
+init_daemon_domain(low_mem_mon_t, low_mem_mon_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow low_mem_mon_t self:capability ipc_lock;
+allow low_mem_mon_t self:unix_dgram_socket create_socket_perms;
+
+kernel_rw_psi(low_mem_mon_t)
+kernel_read_system_state(low_mem_mon_t)
+
+# /etc/localtime
+files_read_etc_symlinks(low_mem_mon_t)
+
+dbus_list_system_bus_runtime(low_mem_mon_t)
+dbus_system_bus_client(low_mem_mon_t)
+dbus_connect_system_bus(low_mem_mon_t)
+
+miscfiles_read_localization(low_mem_mon_t)
+
+optional_policy(`
+	unconfined_dbus_send(low_mem_mon_t)
+')