commit 0e903620a5ffa0c62b81e45e222ebd261ce1931a
author Kalesh Singh <kaleshsingh@google.com> Tue Jul 20 15:13:38 2021 +0000
committer Kalesh Singh <kaleshsingh@google.com> Tue Jul 20 18:54:55 2021 +0000
tree 24b70e0cf9a6b1502057a9e1247fc67d5db3034d
parent 6b4f91cbf0f1eeb3f6247eb7c3da03bb849364b9

sepolicy: Serve suspend AIDL hal from system_suspend

Allow system_suspend to server the suspend AIDL hal service.

Bug: 170260236
Test: Check logcat for supend avc denials
Change-Id: Ie4c07e2e8d75fd4b12e55db15511060e09be59cf

private/compat/31.0/31.0.ignore.cil

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 9cb5c92..f1de944 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,7 @@
   ( new_objects
     artd_service
     camera2_extensions_prop
+    hal_system_suspend_service
     power_stats_service
     transformer_service
     proc_watermark_boost_factor

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index f8c1607..61db2d1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -21,6 +21,7 @@
 android.hardware.weaver.IWeaver/default                              u:object_r:hal_weaver_service:s0
 android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
+android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
 
 accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0

private/system_suspend.te

diff --git a/private/system_suspend.te b/private/system_suspend.te
index caf8955..d924187 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -7,6 +7,8 @@
 binder_use(system_suspend)
 add_service(system_suspend, system_suspend_control_service)
 
+add_service(system_suspend, hal_system_suspend_service)
+
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
 

public/service.te

diff --git a/public/service.te b/public/service.te
index 756c31c..5f1de0f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -266,6 +266,7 @@
 type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
 type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
 type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_system_suspend_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;