| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute performanced coredomain; |
| 2 | |
| Nick Bray | 084faf0 | 2017-02-09 15:15:11 -0800 | [diff] [blame] | 3 | init_daemon_domain(performanced) |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 4 | |
| 5 | # Needed to check for app permissions. |
| 6 | binder_use(performanced) |
| 7 | binder_call(performanced, system_server) |
| 8 | allow performanced permission_service:service_manager find; |
| 9 | |
| 10 | pdx_server(performanced, performance_client) |
| 11 | |
| 12 | # TODO: use file caps to obtain sys_nice instead of setuid / setgid. |
| 13 | allow performanced self:global_capability_class_set { setuid setgid sys_nice }; |
| 14 | |
| 15 | # Access /proc to validate we're only affecting threads in the same thread group. |
| 16 | # Performanced also shields unbound kernel threads. It scans every task in the |
| 17 | # root cpu set, but only affects the kernel threads. |
| 18 | r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) |
| 19 | dontaudit performanced domain:dir read; |
| 20 | allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; |
| 21 | |
| 22 | # These /proc accesses only show up in permissive mode but they |
| 23 | # generate a lot of noise in the log. |
| 24 | userdebug_or_eng(` |
| 25 | dontaudit performanced domain:dir open; |
| 26 | dontaudit performanced domain:file { open read getattr }; |
| 27 | ') |
| 28 | |
| 29 | # Access /dev/cpuset/cpuset.cpus |
| 30 | r_dir_file(performanced, cgroup) |
| 31 | r_dir_file(performanced, cgroup_v2) |