1# performanced 2type performanced, domain, mlstrustedsubject; 3type performanced_exec, exec_type, file_type; 4 5# Needed to check for app permissions. 6binder_use(performanced) 7binder_call(performanced, system_server) 8allow performanced permission_service:service_manager find; 9 10pdx_server(performanced, performance_client) 11 12# TODO: use file caps to obtain sys_nice instead of setuid / setgid. 13allow performanced self:capability { setuid setgid sys_nice }; 14 15# Access /proc to validate we're only affecting threads in the same thread group. 16# Performanced also shields unbound kernel threads. It scans every task in the 17# root cpu set, but only affects the kernel threads. 18r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) 19dontaudit performanced domain:dir read; 20allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; 21 22# Access /dev/cpuset/cpuset.cpus 23r_dir_file(performanced, cgroup) 24