1 # performanced 2 type performanced, domain, mlstrustedsubject; 3 type performanced_exec, exec_type, file_type; 4 5 # Needed to check for app permissions. 6 binder_use(performanced) 7 binder_call(performanced, system_server) 8 allow performanced permission_service:service_manager find; 9 10 pdx_server(performanced, performance_client) 11 12 # TODO: use file caps to obtain sys_nice instead of setuid / setgid. 13 allow performanced self:global_capability_class_set { setuid setgid sys_nice }; 14 15 # Access /proc to validate we're only affecting threads in the same thread group. 16 # Performanced also shields unbound kernel threads. It scans every task in the 17 # root cpu set, but only affects the kernel threads. 18 r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) 19 dontaudit performanced domain:dir read; 20 allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; 21 22 # These /proc accesses only show up in permissive mode but they 23 # generate a lot of noise in the log. 24 userdebug_or_eng(` 25 dontaudit performanced domain:dir open; 26 dontaudit performanced domain:file { open read getattr }; 27 ') 28 29 # Access /dev/cpuset/cpuset.cpus 30 r_dir_file(performanced, cgroup) 31