blob: 838836dfa891fb73cca90b94e35ddfe714cf90ff (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# CPU governor (root process)
type mpdecision, domain;
type mpdecision_exec, exec_type, file_type;
# DAC overrides
allow mpdecision self:capability dac_override;
auditallow mpdecision self:capability dac_override;
# Started by init
init_daemon_domain(mpdecision)
# CPU hotplug uevent to manage cores
allow mpdecision self:netlink_kobject_uevent_socket { create setopt bind read };
allow mpdecision self:capability net_admin;
# Create under /dev/socket/mpdecision
allow mpdecision mpdecision_socket:dir w_dir_perms;
allow mpdecision mpdecision_socket:sock_file create_file_perms;
# Also support mpdecision creating the /dev/socket/pb socket
type_transition mpdecision socket_device:sock_file mpdecision_socket;
allow mpdecision self:capability chown;
allow mpdecision socket_device:dir w_dir_perms;
# By-product of setting owner on sock_file (don't allow)
dontaudit mpdecision self:capability fsetid;
allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
allow mpdecision sysfs_mpdecision:dir r_dir_perms;
allow mpdecision sysfs_mpdecision:file rw_file_perms;
# Some files in /sys/devices/system/cpu may pop in and out of existance,
# defeating our attempt to label them. As a result, they could have the
# sysfs label, not the sysfs_devices_system_cpu label.
# Allow write access for now until we figure out a better solution.
# For example, the following files pop in and out of existance:
# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
allow mpdecision sysfs:file write;
# This is needed to allow mpdecision to look at system_server's
# /proc/PID/status file.
r_dir_file(mpdecision, system_server)
r_dir_file(mpdecision, mediaserver)
allow mpdecision self:capability sys_nice;
|
