Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 82db343e27e69a07e90e1ddf89a649b45c4c92b0^! / . / private
commit82db343e27e69a07e90e1ddf89a649b45c4c92b0[log] [tgz]
authorRadu Solea <radusolea@google.com>Fri Dec 01 10:07:28 2023 -0800
committerRadu Solea <radusolea@google.com>Thu Jan 04 15:45:39 2024 -0800
treeb1c7971c60467dc473635fd2dcebf7e0c37f696c
parent245f91399ef98c27df378e5a467ce6f98c4775a2 [diff]
Add sepolicy for suspend.debug.wakestats_log.enabled

Add initial sepolicy for suspend.debug.wakestats_log.enabled
Allow set from init
Allow read by system suspend

Bug: 301657457
Test: manual
Change-Id: I1123e169d69eadb909ed474c0c246a8a45eab2f0
Signed-off-by: Radu Solea <radusolea@google.com>

diff --git a/private/property.te b/private/property.te
index 87b0446..a098d05 100644
--- a/private/property.te
+++ b/private/property.te

@@ -61,6 +61,7 @@
 system_internal_prop(hypervisor_virtualizationmanager_prop)
 system_internal_prop(game_manager_config_prop)
 system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -342,8 +343,26 @@
   } {
     suspend_prop
   }:property_service set;
+
+  neverallow {
+    domain
+    -init
+  } {
+    suspend_debug_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -init
+    -dumpstate
+    userdebug_or_eng(`-system_suspend')
+    } {
+      suspend_debug_prop
+    }:file no_rw_file_perms;
 ')
 
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
 compatible_property_only(`
   # Neverallow coredomain to set vendor properties
   neverallow {

diff --git a/private/property_contexts b/private/property_contexts
index 8860024..2350011 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -119,6 +119,9 @@
 suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
 suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
 
+# Suspend service debug properties
+suspend.debug.wakestats_log.enabled u:object_r:suspend_debug_prop:s0 exact bool
+
 # Fastbootd protocol control property
 fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
 

diff --git a/private/system_suspend.te b/private/system_suspend.te
index 683d913..a525866 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -22,6 +22,11 @@
 # Access to suspend_hal system properties
 get_prop(system_suspend, suspend_prop)
 
+# Access to system_suspend debug system properties
+userdebug_or_eng(`
+  get_prop(system_suspend, suspend_debug_prop)
+')
+
 # To call BTAA registered callbacks
 allow system_suspend bluetooth:binder call;