| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | # performanced |
| 2 | type performanced, domain, mlstrustedsubject; |
| 3 | type performanced_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | # Needed to check for app permissions. |
| 6 | binder_use(performanced) |
| 7 | binder_call(performanced, system_server) |
| 8 | allow performanced permission_service:service_manager find; |
| 9 | |
| 10 | pdx_server(performanced, performance_client) |
| 11 | |
| 12 | # TODO: use file caps to obtain sys_nice instead of setuid / setgid. |
| 13 | allow performanced self:global_capability_class_set { setuid setgid sys_nice }; |
| 14 | |
| 15 | # Access /proc to validate we're only affecting threads in the same thread group. |
| 16 | # Performanced also shields unbound kernel threads. It scans every task in the |
| 17 | # root cpu set, but only affects the kernel threads. |
| 18 | r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) |
| 19 | dontaudit performanced domain:dir read; |
| 20 | allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; |
| 21 | |
| 22 | # These /proc accesses only show up in permissive mode but they |
| 23 | # generate a lot of noise in the log. |
| 24 | userdebug_or_eng(` |
| 25 | dontaudit performanced domain:dir open; |
| 26 | dontaudit performanced domain:file { open read getattr }; |
| 27 | ') |
| 28 | |
| 29 | # Access /dev/cpuset/cpuset.cpus |
| 30 | r_dir_file(performanced, cgroup) |