1type perfd, domain; 2type perfd_exec, exec_type, vendor_file_type, file_type; 3 4init_daemon_domain(perfd) 5 6allow perfd cgroup:file r_file_perms; 7 8allow perfd cameraserver:process signull; 9 10# files in /data/misc/perfd and /data/system/perfd 11typeattribute perfd data_between_core_and_vendor_violators; 12allow perfd perfd_data_file:dir create_dir_perms; 13allow perfd perfd_data_file:{ file sock_file } create_file_perms; 14 15allow perfd proc_kernel_sched:file r_file_perms; 16 17# read access /sys 18r_dir_file(perfd, sysfs_type) 19# normally write is not granted to the default "sysfs" label. 20# In this case, perfd needs access to files in /sys that are 21# commonly created and destroyed. When the kernel creates them, 22# they are created with the default label "sysfs". For robustness, 23# allow perfd to write to "sysfs" to ensure it can optimally 24# tune the power/cpu settings. 25allow perfd sysfs:file write; 26allow perfd sysfs_perf:file write; 27allow perfd sysfs_msm_subsys:file write; 28allow perfd sysfs_devices_system_cpu:file write; 29allow perfd sysfs_power_management:file write; 30 31allow perfd proc_kernel_sched:file w_file_perms; 32allow perfd gpu_device:chr_file rw_file_perms; 33 34# perfd uses kill(pid, 0) to determine if a process exists. 35# Determining if a process exists does not require the kill capability 36# since a permission denied indicates the process exists. 37dontaudit perfd self:capability kill; 38