SEPolicy for Suspend Control interface.
Bug: 121210355
Test: manual
Change-Id: I9c46c72f0219309140ed2fb008ef57b4bca6ff2b
Merged-In: I9c46c72f0219309140ed2fb008ef57b4bca6ff2b
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 924726c..6154e3c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -107,6 +107,7 @@
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
+ system_suspend_control_service
staging_data_file
task_profiles_file
testharness_service
diff --git a/private/service_contexts b/private/service_contexts
index 965304c..650b62e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -182,6 +182,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 49b5498..98ae7f8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -991,6 +991,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_service:service_manager find;
+
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
index 21c6cb6..13fb654 100644
--- a/public/hal_system_suspend.te
+++ b/public/hal_system_suspend.te
@@ -1,3 +1,4 @@
+binder_use(hal_system_suspend_server)
binder_call(hal_system_suspend_client, hal_system_suspend_server)
binder_call(hal_system_suspend_server, hal_system_suspend_client)
@@ -5,6 +6,7 @@
# system_suspend_hwservice have hal_system_suspend_client attribute. For that
# reason we don't use hal_attribute_hwservice macro here.
add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
+add_service(hal_system_suspend_server, system_suspend_control_service)
allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
allow hal_system_suspend_server sysfs_power:file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index ad5fc0a..3d5b41c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;