Add sepolicy for suspend.debug.wakestats_log.enabled
Add initial sepolicy for suspend.debug.wakestats_log.enabled
Allow set from init
Allow read by system suspend
Bug: 301657457
Test: manual
Change-Id: I1123e169d69eadb909ed474c0c246a8a45eab2f0
Signed-off-by: Radu Solea <radusolea@google.com>
diff --git a/private/property.te b/private/property.te
index 87b0446..a098d05 100644
--- a/private/property.te
+++ b/private/property.te
@@ -61,6 +61,7 @@
system_internal_prop(hypervisor_virtualizationmanager_prop)
system_internal_prop(game_manager_config_prop)
system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -342,8 +343,26 @@
} {
suspend_prop
}:property_service set;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_debug_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-system_suspend')
+ } {
+ suspend_debug_prop
+ }:file no_rw_file_perms;
')
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {