2017-02-10 00:15:11 +01:00
|
|
|
# performanced
|
|
|
|
type performanced, domain, mlstrustedsubject;
|
2018-09-27 19:21:37 +02:00
|
|
|
type performanced_exec, system_file_type, exec_type, file_type;
|
2017-02-10 00:15:11 +01:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Needed to check for app permissions.
|
|
|
|
binder_use(performanced)
|
|
|
|
binder_call(performanced, system_server)
|
|
|
|
allow performanced permission_service:service_manager find;
|
|
|
|
|
2017-05-01 22:01:44 +02:00
|
|
|
pdx_server(performanced, performance_client)
|
2017-02-10 00:15:11 +01:00
|
|
|
|
|
|
|
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
|
2017-11-09 23:51:26 +01:00
|
|
|
allow performanced self:global_capability_class_set { setuid setgid sys_nice };
|
2017-02-10 00:15:11 +01:00
|
|
|
|
|
|
|
# Access /proc to validate we're only affecting threads in the same thread group.
|
|
|
|
# Performanced also shields unbound kernel threads. It scans every task in the
|
|
|
|
# root cpu set, but only affects the kernel threads.
|
2017-04-24 22:15:27 +02:00
|
|
|
r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
|
2017-02-10 00:15:11 +01:00
|
|
|
dontaudit performanced domain:dir read;
|
2017-04-24 22:15:27 +02:00
|
|
|
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
|
2017-02-10 00:15:11 +01:00
|
|
|
|
2018-02-27 11:42:12 +01:00
|
|
|
# These /proc accesses only show up in permissive mode but they
|
|
|
|
# generate a lot of noise in the log.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
dontaudit performanced domain:dir open;
|
|
|
|
dontaudit performanced domain:file { open read getattr };
|
|
|
|
')
|
|
|
|
|
2017-02-10 00:15:11 +01:00
|
|
|
# Access /dev/cpuset/cpuset.cpus
|
|
|
|
r_dir_file(performanced, cgroup)
|
2021-02-12 00:18:11 +01:00
|
|
|
r_dir_file(performanced, cgroup_v2)
|