1 # CPU governor (root process) 2 type mpdecision, domain; 3 type mpdecision_exec, exec_type, file_type; 4 5 # DAC overrides 6 allow mpdecision self:capability dac_override; 7 auditallow mpdecision self:capability dac_override; 8 9 # Started by init 10 init_daemon_domain(mpdecision) 11 12 # CPU hotplug uevent to manage cores 13 allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read }; 14 allow mpdecision self:capability net_admin; 15 16 # Create under /dev/socket/mpdecision 17 allow mpdecision mpdecision_socket:dir w_dir_perms; 18 allow mpdecision mpdecision_socket:sock_file create_file_perms; 19 20 # Also support mpdecision creating the /dev/socket/pb socket 21 type_transition mpdecision socket_device:sock_file mpdecision_socket; 22 allow mpdecision self:capability chown; 23 allow mpdecision socket_device:dir w_dir_perms; 24 25 # By-product of setting owner on sock_file (don't allow) 26 dontaudit mpdecision self:capability fsetid; 27 28 allow mpdecision sysfs_devices_system_cpu:file rw_file_perms; 29 allow mpdecision sysfs_mpdecision:dir r_dir_perms; 30 allow mpdecision sysfs_mpdecision:file rw_file_perms; 31 32 # Some files in /sys/devices/system/cpu may pop in and out of existance, 33 # defeating our attempt to label them. As a result, they could have the 34 # sysfs label, not the sysfs_devices_system_cpu label. 35 # Allow write access for now until we figure out a better solution. 36 # For example, the following files pop in and out of existance: 37 # /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq 38 # /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq 39 allow mpdecision sysfs:file write; 40 41 # This is needed to allow mpdecision to look at system_server's 42 # /proc/PID/status file. 43 r_dir_file(mpdecision, system_server) 44 r_dir_file(mpdecision, mediaserver) 45 46 allow mpdecision self:capability sys_nice; 47
