Decouple system_suspend from hal attributes.
System suspend service is not a HAL, so avoid using HAL-specific macros
and attributes.
Use system_suspend_server attribute for ISystemSuspend.hal permissions.
Use system_suspend type directly for internal .aidl interface
permissions.
Bug: 126259100
Test: m selinux_policy
Test: blueline boots; wakelocks can still be acquired; device suspends
if left alone.
Change-Id: Ie811e7da46023705c93ff4d76d15709a56706714
diff --git a/public/attributes b/public/attributes
index 5a40421..8f52637 100644
--- a/public/attributes
+++ b/public/attributes
@@ -280,7 +280,6 @@
hal_attribute(power_stats);
hal_attribute(secure_element);
hal_attribute(sensors);
-hal_attribute(system_suspend);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
@@ -307,3 +306,4 @@
attribute display_service_server;
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
+attribute system_suspend_server;
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
deleted file mode 100644
index 13fb654..0000000
--- a/public/hal_system_suspend.te
+++ /dev/null
@@ -1,13 +0,0 @@
-binder_use(hal_system_suspend_server)
-binder_call(hal_system_suspend_client, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, hal_system_suspend_client)
-
-# To preserve the semantics of wakelock_use macro, not all clients of
-# system_suspend_hwservice have hal_system_suspend_client attribute. For that
-# reason we don't use hal_attribute_hwservice macro here.
-add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
-add_service(hal_system_suspend_server, system_suspend_control_service)
-allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
-
-allow hal_system_suspend_server sysfs_power:file rw_file_perms;
-allow hal_system_suspend_server system_server:fd use;
diff --git a/public/su.te b/public/su.te
index e09248b..346b1fe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -87,7 +87,6 @@
typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
- typeattribute su hal_system_suspend_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
diff --git a/public/system_suspend_server.te b/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/public/te_macros b/public/te_macros
index 6541525..b9a6c05 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -399,19 +399,16 @@
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
-# TODO(b/36375663): wake lock clients should be tagged with
-# hal_system_suspend_client and halclientdomain attributes. However,
-# typeattribute statements do not allow applying attributes to other attributes,
-# so instead we grant appropriate permissions directly within this macro.
-# hal_system_suspend_client permissions
-binder_call($1, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, $1)
+# system_suspend permissions
+binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain perimssions
+# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
diff --git a/public/vold.te b/public/vold.te
index d201257..ace733f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,7 +294,7 @@
-ashmemd
-hal_health_storage_server
-hal_keymaster_server
- -hal_system_suspend_server
+ -system_suspend_server
-hal_bootctl_server
-healthd
-hwservicemanager