# performanced
type performanced, domain, mlstrustedsubject;
type performanced_exec, exec_type, file_type;

pdx_server(performanced, performance_client)

# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:capability { setuid setgid sys_nice };

# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads.  It scans every task in the
# root cpu set, but only affects the kernel threads.
r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
dontaudit performanced domain:dir read;
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;

# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)