Add SELinux policy support for Userspace Resource Manager (URM) (#1097)

varunsinghal29 · web-flow · commit 586caeace3ba · 2026-06-01T15:20:36.000-04:00
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.

Changes include:
- urm.fc: File context definitions mapping:
  - /etc/urm(/.*)? configuration files to urm_config_t
  - /run/restune_sock runtime socket to urm_runtime_t
  - /usr/bin/urm binary to urm_exec_t

- urm.te: Type declarations for 4 types:
  - urm_config_t: URM configuration files under /etc/urm
  - urm_exec_t: URM executable
  - urm_t: URM daemon process domain
  - urm_runtime_t: URM runtime socket under /run

  Policy rules include:
  - Suppress spurious capability denials for dac_override,
    dac_read_search and net_admin
  - Netlink connector socket for kernel-userspace communication
  - Unix stream socket for client-server communication
  - Config file read/write for per-username CPU frequency
    scaling settings e.g. scaling_max_freq.txt
  - Runtime socket management under /run for client communication
  - Runtime socket transition under /run for client communication
  - PM QoS access via /dev/cpu_dma_latency for power and
    latency management per username
  - sysfs read/write for CPU frequency scaling and IRQ affinity
  - All domain process state read from /proc/&lt;pid&gt; for
    per-username process resource monitoring
  - Cgroup file and directory management for per-username
    resource group isolation
  - System state read from /proc for per-username resource
    usage monitoring
  - Kernel module request for netlink connector
  - IRQ sysctl read/write for per-username IRQ affinity
    management via /proc/irq/*/smp_affinity
  - Kernel sysctl read/write e.g. sched_util_clamp_min
  - Syslog access for logging
  - Config file read via urm_read_config() interface

- urm.if: Two interface definitions:
  - urm_read_config(): allows domains to read URM configuration
    files under /etc/urm
  - urm_stream_connect(): allows domains to connect to URM
    via unix domain stream socket

Signed-off-by: Varun Singhal &lt;varusing@qti.qualcomm.com&gt;
diff --git a/policy/modules/services/urm.fc b/policy/modules/services/urm.fc
@@ -0,0 +1,3 @@
+/etc/urm(/.*)?                 gen_context(system_u:object_r:urm_config_t,s0)
+/run/restune_sock      -s      gen_context(system_u:object_r:urm_runtime_t,s0)
+/usr/bin/urm           --      gen_context(system_u:object_r:urm_exec_t,s0)
diff --git a/policy/modules/services/urm.if b/policy/modules/services/urm.if
@@ -0,0 +1,49 @@
+## <summary> Policy for the URM (Username Resource Manager) service.</summary>
+## <desc>
+##      <p>
+##              URM (Username Resource Manager) is a system service
+##              that manages CPU, IRQ, and cgroup resources per
+##              username for optimizing system performance.
+##      </p>
+## </desc>
+#
+
+########################################
+## <summary>
+##      Read the URM configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`urm_read_config',`
+        gen_require(`
+                type urm_config_t;
+        ')
+
+        files_search_etc($1)
+        allow $1 urm_config_t:dir list_dir_perms;
+        read_files_pattern($1, urm_config_t, urm_config_t)
+        read_lnk_files_pattern($1, urm_config_t, urm_config_t)
+')
+
+########################################
+## <summary>
+##      Connect to urm with a unix stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`urm_stream_connect',`
+        gen_require(`
+                type urm_t, urm_runtime_t;
+        ')
+        
+        allow $1 urm_runtime_t:sock_file rw_sock_file_perms;
+        stream_connect_pattern($1, urm_runtime_t, urm_runtime_t, urm_t)
+')
diff --git a/policy/modules/services/urm.te b/policy/modules/services/urm.te
@@ -0,0 +1,87 @@
+policy_module(urm)
+
+########################################
+#
+# Declarations
+#
+
+type urm_config_t;
+files_config_file(urm_config_t)
+
+type urm_exec_t;
+type urm_t;
+init_daemon_domain(urm_t, urm_exec_t)
+
+type urm_runtime_t;
+files_runtime_file(urm_runtime_t)
+
+########################################
+#
+# urm local policy
+#
+
+# Suppress spurious capability denials
+dontaudit urm_t self:capability { dac_override dac_read_search net_admin };
+
+# Netlink connector socket access
+allow urm_t self:netlink_connector_socket create_socket_perms;
+
+# Unix stream socket for client-server communication
+allow urm_t self:unix_stream_socket { create connectto };
+
+# Read and write its own config files
+# e.g. scaling_max_freq.txt for per-username
+# CPU frequency scaling settings
+allow urm_t urm_config_t:file rw_file_perms;
+
+# Allow urm to manage its runtime socket
+# under /run for client communication
+allow urm_t urm_runtime_t:sock_file manage_sock_file_perms;
+
+# Create runtime socket transition under /run
+files_runtime_filetrans(urm_t, urm_runtime_t, sock_file)
+
+# Access /dev/cpu_dma_latency for PM QoS
+# to manage power and latency per username
+dev_rw_pmqos(urm_t)
+
+# Read and write sysfs entries for CPU frequency
+# scaling and IRQ affinity management
+dev_rw_sysfs(urm_t)
+
+# Read all domain process state /proc/<pid>
+# for per-username process resource monitoring
+domain_read_all_domains_state(urm_t)
+
+# Create camera and other cgroup directories
+# for per-username resource group isolation
+fs_create_cgroup_dirs(urm_t)
+
+# Create and manage cgroup files
+# for per-username resource group isolation
+fs_create_cgroup_files(urm_t)
+
+# Read and write cgroup files/dirs for
+# per-username resource group management
+fs_rw_cgroup_files(urm_t)
+
+# Read system state from /proc for monitoring
+# per-username resource usage
+kernel_read_system_state(urm_t)
+
+# Request kernel module loading e.g. netlink connector
+kernel_request_load_module(urm_t)
+
+# Read and write IRQ sysctls /proc/irq/*/smp_affinity
+# for per-username IRQ affinity management
+kernel_rw_irq_sysctls(urm_t)
+
+# Read and write kernel sysctls e.g. sched_util_clamp_min
+# for per-username CPU scheduling resource management
+kernel_rw_kernel_sysctl(urm_t)
+
+# Send log messages to syslog
+logging_send_syslog_msg(urm_t)
+
+# Read per-username resource configuration files under /etc/urm
+urm_read_config(urm_t)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+/etc/urm(/.*)? gen_context(system_u:object_r:urm_config_t,s0)`
	`2`	`+/run/restune_sock -s gen_context(system_u:object_r:urm_runtime_t,s0)`
	`3`	`+/usr/bin/urm -- gen_context(system_u:object_r:urm_exec_t,s0)`