1 type perfd, domain; 2 type perfd_exec, exec_type, vendor_file_type, file_type; 3 4 init_daemon_domain(perfd) 5 6 allow perfd cgroup:file r_file_perms; 7 8 allow perfd cameraserver:process signull; 9 10 # files in /data/misc/perfd and /data/system/perfd 11 typeattribute perfd data_between_core_and_vendor_violators; 12 allow perfd perfd_data_file:dir create_dir_perms; 13 allow perfd perfd_data_file:{ file sock_file } create_file_perms; 14 15 allow perfd proc_kernel_sched:file r_file_perms; 16 17 # read access /sys 18 r_dir_file(perfd, sysfs_type) 19 # normally write is not granted to the default "sysfs" label. 20 # In this case, perfd needs access to files in /sys that are 21 # commonly created and destroyed. When the kernel creates them, 22 # they are created with the default label "sysfs". For robustness, 23 # allow perfd to write to "sysfs" to ensure it can optimally 24 # tune the power/cpu settings. 25 allow perfd sysfs:file write; 26 allow perfd sysfs_perf:file write; 27 allow perfd sysfs_msm_subsys:file write; 28 allow perfd sysfs_devices_system_cpu:file write; 29 allow perfd sysfs_power_management:file write; 30 31 allow perfd proc_kernel_sched:file w_file_perms; 32 allow perfd gpu_device:chr_file rw_file_perms; 33 34 # perfd uses kill(pid, 0) to determine if a process exists. 35 # Determining if a process exists does not require the kill capability 36 # since a permission denied indicates the process exists. 37 dontaudit perfd self:capability kill; 38
