Update to support splitted SystemSuspend AIDL interfaces
The suspend_control_aidl_interface is updated, renamed, and splitted
into android.system.suspend.control and
android.system.suspend.control.internal. This resulted in two suspend
services, update sepolicy to support this change.
Test: m
Bug: 171598743
Change-Id: I695bde405672af834fe662242347e62079f2e25f
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7041276..6209e4f 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -42,6 +42,7 @@
snapuserd_socket
sysfs_devices_cs_etm
system_server_dumper_service
+ system_suspend_control_internal_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/service_contexts b/private/service_contexts
index eb12633..7e451b6 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -220,6 +220,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 56b9746..53c31c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -97,6 +97,7 @@
-iorapd_service
-lpdump_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 76ac007..0d48554 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1144,6 +1144,7 @@
allow system_server apex_info_file:file r_file_perms;
# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 7f343f2..217548f 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -3,8 +3,9 @@
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.aidl.
+# To serve ISuspendControlService and ISuspendControlServiceInternal.
binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_internal_service)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -23,6 +24,15 @@
neverallow {
domain
-atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
+
+neverallow {
+ domain
+ -atrace # tracing
-bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service