1*e4a36f41SAndroid Build Coastguard Workertypeattribute performanced coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(performanced) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Needed to check for app permissions. 6*e4a36f41SAndroid Build Coastguard Workerbinder_use(performanced) 7*e4a36f41SAndroid Build Coastguard Workerbinder_call(performanced, system_server) 8*e4a36f41SAndroid Build Coastguard Workerallow performanced permission_service:service_manager find; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Workerpdx_server(performanced, performance_client) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# TODO: use file caps to obtain sys_nice instead of setuid / setgid. 13*e4a36f41SAndroid Build Coastguard Workerallow performanced self:global_capability_class_set { setuid setgid sys_nice }; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Access /proc to validate we're only affecting threads in the same thread group. 16*e4a36f41SAndroid Build Coastguard Worker# Performanced also shields unbound kernel threads. It scans every task in the 17*e4a36f41SAndroid Build Coastguard Worker# root cpu set, but only affects the kernel threads. 18*e4a36f41SAndroid Build Coastguard Workerr_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) 19*e4a36f41SAndroid Build Coastguard Workerdontaudit performanced domain:dir read; 20*e4a36f41SAndroid Build Coastguard Workerallow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# These /proc accesses only show up in permissive mode but they 23*e4a36f41SAndroid Build Coastguard Worker# generate a lot of noise in the log. 24*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 25*e4a36f41SAndroid Build Coastguard Worker dontaudit performanced domain:dir open; 26*e4a36f41SAndroid Build Coastguard Worker dontaudit performanced domain:file { open read getattr }; 27*e4a36f41SAndroid Build Coastguard Worker') 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Access /dev/cpuset/cpuset.cpus 30*e4a36f41SAndroid Build Coastguard Workerr_dir_file(performanced, cgroup) 31*e4a36f41SAndroid Build Coastguard Workerr_dir_file(performanced, cgroup_v2) 32