Snap for 13611907 from 2452c4fa91d8b1457fec8d78282ec8f1b26c604d to 25Q3-release

Change-Id: I130e9ee073893f225d177bb46d2d050b529f1def

microdroid/system/private/file_contexts

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 369acd7..a849723 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -110,6 +110,7 @@
 /system/bin/mke2fs               u:object_r:e2fs_exec:s0
 /system/bin/resize2fs            u:object_r:fsck_exec:s0
 /system/bin/kexec_load           u:object_r:kexec_exec:s0
+/system/bin/pageout_bomb         u:object_r:pageout_bomb_exec:s0
 /system/bin/prng_seeder          u:object_r:prng_seeder_exec:s0
 /system/bin/atrace               u:object_r:atrace_exec:s0
 /system/bin/perfetto             u:object_r:perfetto_exec:s0

microdroid/system/private/init.te

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 9e0068e..8b40540 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -456,3 +456,6 @@
 allow init tmpfs:chr_file relabelfrom;
 allow init kmsg_device:chr_file { getattr write relabelto };
 allow init kmsg_debug_device:chr_file { open write relabelto };
+
+# For pageout_bomb.rc.
+allow init proc_drop_caches:file w_file_perms;

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 10a3681..5945d9d 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -116,6 +116,8 @@
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)
 
+set_prop(microdroid_manager, pageout_bomb_prop)
+
 # Allow microdroid_manager to read bootconfig so that it can reject a bootconfig
 # that is different from what is recorded in the instance.img file.
 allow microdroid_manager proc_bootconfig:file r_file_perms;

microdroid/system/private/pageout_bomb.te

diff --git a/microdroid/system/private/pageout_bomb.te b/microdroid/system/private/pageout_bomb.te
new file mode 100644
index 0000000..7e2b966
--- /dev/null
+++ b/microdroid/system/private/pageout_bomb.te
@@ -0,0 +1,14 @@
+type pageout_bomb, domain;
+type pageout_bomb_exec, exec_type, file_type;
+
+init_daemon_domain(pageout_bomb)
+
+# Allow logging to kmsg.
+allow pageout_bomb kmsg_device:chr_file w_file_perms;
+
+# Allow process_madvise
+allow pageout_bomb self:global_capability_class_set sys_nice;
+
+# Allow reading /proc/PID/maps of other processes
+allow pageout_bomb self:global_capability_class_set sys_ptrace;
+r_dir_file(pageout_bomb, domain)

microdroid/system/private/property_contexts

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 4339fa0..922d1d1 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -128,6 +128,8 @@
 microdroid_manager.encrypted_store.setup u:object_r:microdroid_encrypted_store_setup_prop:s0 exact bool
 microdroid_manager.encrypted_store.status u:object_r:microdroid_encrypted_store_status_prop:s0 exact enum mounted ready
 
+pageout_bomb.go u:object_r:pageout_bomb_prop:s0 exact bool
+
 servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
 
 init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool

microdroid/system/public/property.te

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 1ffd021..47027d2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -53,6 +53,7 @@
 type vendor_default_prop, property_type;
 type powerctl_prop, property_type;
 type servicemanager_prop, property_type;
+type pageout_bomb_prop, property_type;
 
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.