1# performanced 2type performanced, domain, mlstrustedsubject; 3type performanced_exec, exec_type, file_type; 4 5# Needed to check for app permissions. 6binder_use(performanced) 7binder_call(performanced, system_server) 8allow performanced permission_service:service_manager find; 9 10pdx_server(performanced, performance_client) 11 12# TODO: use file caps to obtain sys_nice instead of setuid / setgid. 13allow performanced self:global_capability_class_set { setuid setgid sys_nice }; 14 15# Access /proc to validate we're only affecting threads in the same thread group. 16# Performanced also shields unbound kernel threads. It scans every task in the 17# root cpu set, but only affects the kernel threads. 18r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) 19dontaudit performanced domain:dir read; 20allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; 21 22# These /proc accesses only show up in permissive mode but they 23# generate a lot of noise in the log. 24userdebug_or_eng(` 25 dontaudit performanced domain:dir open; 26 dontaudit performanced domain:file { open read getattr }; 27') 28 29# Access /dev/cpuset/cpuset.cpus 30r_dir_file(performanced, cgroup) 31