commit 77eb35263f40607e36fdcd85d95050a4ecedb6b8
author Sharvil Nanavati <sharvil@google.com> Sun Jun 29 10:45:03 2014 -0700
committer Sharvil Nanavati <sharvil@google.com> Tue Jul 01 11:58:30 2014 -0700
tree f440eb98951f9bfb6fdffdbfed555e411e61b5d5
parent 596bcc768758f38534a537a3fb54875225417f2c

Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

app.te

diff --git a/app.te b/app.te
index 91210f5..491e785 100644
--- a/app.te
+++ b/app.te
@@ -185,9 +185,9 @@
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { appdomain -unconfineddomain } self:capability2 *;
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability2 *;
 
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index 4e274c4..619ce7f 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -28,6 +28,7 @@
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
 
 # Allow clients to use a socket provided by the bluetooth app.
 # TODO:  See if this is still required under bluedroid.
@@ -55,5 +56,6 @@
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability2 ~wake_alarm;