5c6a227ebb
Copy the final system sepolicy from oc-dev to its prebuilt dir corresponding to its version (26.0) so that we can uprev policy and start maintaining compatibility files, as well as use it for CTS tests targeting future platforms. Bug: 37896931 Test: none, this just copies the old policy. Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
18 lines
766 B
Text
18 lines
766 B
Text
# performanced
|
|
type performanced, domain, mlstrustedsubject;
|
|
type performanced_exec, exec_type, file_type;
|
|
|
|
pdx_server(performanced, performance_client)
|
|
|
|
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
|
|
allow performanced self:capability { setuid setgid sys_nice };
|
|
|
|
# Access /proc to validate we're only affecting threads in the same thread group.
|
|
# Performanced also shields unbound kernel threads. It scans every task in the
|
|
# root cpu set, but only affects the kernel threads.
|
|
r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
|
|
dontaudit performanced domain:dir read;
|
|
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
|
|
|
|
# Access /dev/cpuset/cpuset.cpus
|
|
r_dir_file(performanced, cgroup)
|