1 type perfd, domain; 2 type perfd_exec, exec_type, vendor_file_type, file_type; 3 4 init_daemon_domain(perfd) 5 6 allow perfd cgroup:file r_file_perms; 7 8 allow perfd cameraserver:process signull; 9 10 # files in /data/misc/perfd and /data/system/perfd 11 allow perfd perfd_data_file:dir create_dir_perms; 12 allow perfd perfd_data_file:{ file sock_file } create_file_perms; 13 14 allow perfd proc_kernel_sched:file r_file_perms; 15 16 # read access /sys 17 r_dir_file(perfd, sysfs_type) 18 # normally write is not granted to the default "sysfs" label. 19 # In this case, perfd needs access to files in /sys that are 20 # commonly created and destroyed. When the kernel creates them, 21 # they are created with the default label "sysfs". For robustness, 22 # allow perfd to write to "sysfs" to ensure it can optimally 23 # tune the power/cpu settings. 24 allow perfd sysfs:file write; 25 allow perfd sysfs_perf:file write; 26 allow perfd sysfs_msm_subsys:file write; 27 allow perfd sysfs_devices_system_cpu:file write; 28 allow perfd sysfs_power_management:file write; 29 30 allow perfd proc_kernel_sched:file w_file_perms; 31 allow perfd gpu_device:chr_file rw_file_perms; 32 33 # perfd uses kill(pid, 0) to determine if a process exists. 34 # Determining if a process exists does not require the kill capability 35 # since a permission denied indicates the process exists. 36 dontaudit perfd self:capability kill; 37
