type perfd, domain;
type perfd_exec, exec_type, file_type;

init_daemon_domain(perfd)

# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set.  We do not appear to truly need this capability
# for perfd to operate.
dontaudit perfd self:capability fsetid;

# Data file accesses.
allow perfd perfd_data_file:dir create_dir_perms;
allow perfd perfd_data_file:file create_file_perms;

# Socket creation under /data/misc/perfd
allow perfd perfd_data_file:sock_file create_file_perms;

allow perfd sysfs_performance:dir search;
allow perfd sysfs_performance:file rw_file_perms;

allow perfd sysfs_thermal:dir search;
allow perfd sysfs_thermal:file rw_file_perms;

allow perfd proc_kernel_sched:file r_file_perms;

# allow writing to /sys/devices/system/cpu/*
allow perfd sysfs_devices_system_cpu:file rw_file_perms;

# access to /sys/module/lpm_levels/parameters/sleep_disabled
allow perfd sysfs_power_management:file w_file_perms;