1 # performanced 2 type performanced, domain, mlstrustedsubject; 3 type performanced_exec, exec_type, file_type; 4 5 pdx_server(performanced, performance_client) 6 7 # TODO: use file caps to obtain sys_nice instead of setuid / setgid. 8 allow performanced self:capability { setuid setgid sys_nice }; 9 10 # Access /proc to validate we're only affecting threads in the same thread group. 11 # Performanced also shields unbound kernel threads. It scans every task in the 12 # root cpu set, but only affects the kernel threads. 13 r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) 14 dontaudit performanced domain:dir read; 15 allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; 16 17 # Access /dev/cpuset/cpuset.cpus 18 r_dir_file(performanced, cgroup) 19
