Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91901d3..e0898b2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -85,9 +85,6 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -164,7 +161,6 @@
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 58e6d91..5d872b9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -78,9 +78,6 @@
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -149,7 +146,6 @@
staging_data_file
system_boot_reason_prop
system_lmk_prop
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ea88cd9..73679f6 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -63,9 +63,6 @@
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
heapprofd
heapprofd_enabled_prop
heapprofd_exec
diff --git a/private/file_contexts b/private/file_contexts
index 1c038ad..988ee25 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -297,7 +297,7 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
deleted file mode 100644
index c948051..0000000
--- a/private/hal_system_suspend_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_system_suspend_default, domain, coredomain;
-hal_server_domain(hal_system_suspend_default, hal_system_suspend)
-
-type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_system_suspend_default)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index dfe4c3c..c65c6f1 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -5,11 +5,24 @@
neverallow {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -statsd
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
} perfprofd:binder call;
+
neverallow perfprofd {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -servicemanager
+ -statsd
+ -su
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
}:binder call;
diff --git a/private/system_server.te b/private/system_server.te
index 7ed5339..22dcac8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -75,8 +75,6 @@
sys_tty_config
};
-wakelock_use(system_server)
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -228,7 +226,6 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
@@ -1006,6 +1003,11 @@
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
+binder_call(system_server, system_suspend)
+binder_call(system_suspend, system_server)
+
+# Allow system server to communicate to system-suspend's wakelock interface
+wakelock_use(system_server)
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
diff --git a/private/system_suspend.te b/private/system_suspend.te
new file mode 100644
index 0000000..1ed24bb
--- /dev/null
+++ b/private/system_suspend.te
@@ -0,0 +1,11 @@
+type system_suspend, domain, coredomain, system_suspend_server;
+
+type system_suspend_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(system_suspend)
+
+# To serve ISuspendControlService.aidl.
+binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_service)
+
+# Access to /sys/power/{ wakeup_count, state } suspend interface.
+allow system_suspend sysfs_power:file rw_file_perms;