typeattribute performanced coredomain; init_daemon_domain(performanced) # Needed to check for app permissions. binder_use(performanced) binder_call(performanced, system_server) allow performanced permission_service:service_manager find; pdx_server(performanced, performance_client) # TODO: use file caps to obtain sys_nice instead of setuid / setgid. allow performanced self:global_capability_class_set { setuid setgid sys_nice }; # Access /proc to validate we're only affecting threads in the same thread group. # Performanced also shields unbound kernel threads. It scans every task in the # root cpu set, but only affects the kernel threads. r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) dontaudit performanced domain:dir read; allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; # These /proc accesses only show up in permissive mode but they # generate a lot of noise in the log. userdebug_or_eng(` dontaudit performanced domain:dir open; dontaudit performanced domain:file { open read getattr }; ') # Access /dev/cpuset/cpuset.cpus r_dir_file(performanced, cgroup) r_dir_file(performanced, cgroup_v2)