Sepolicy for system suspend HAL.
Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 96b3b07..5a96107 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -62,6 +62,9 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -113,6 +116,7 @@
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
+ system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 2772cd7..9120694 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -55,6 +55,9 @@
hal_health_filesystem_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -98,6 +101,7 @@
storaged_data_file
system_boot_reason_prop
system_lmk_prop
+ system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 91ef8df..18955b2 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -6,12 +6,16 @@
( activity_task_service
adb_service
hal_health_filesystem_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
llkd
llkd_exec
llkd_tmpfs
mnt_product_file
overlayfs_file
system_lmk_prop
+ system_suspend_hwservice
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 6c75385..003d66c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -279,6 +279,7 @@
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
new file mode 100644
index 0000000..293f3de
--- /dev/null
+++ b/private/hal_system_suspend_default.te
@@ -0,0 +1,5 @@
+type hal_system_suspend_default, domain, coredomain;
+hal_server_domain(hal_system_suspend_default, hal_system_suspend)
+
+type hal_system_suspend_default_exec, exec_type, file_type;
+init_daemon_domain(hal_system_suspend_default)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 3779011..508d925 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -67,5 +67,6 @@
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
+android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 25f9711..dfe4c3c 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -3,6 +3,13 @@
init_daemon_domain(perfprofd)
')
-# Only servicemanager, statsd, su, systemserver, hwservicemanager, health HAL can communicate.
-neverallow { domain userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager') } perfprofd:binder call;
-neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager') }:binder call;
+neverallow {
+ domain
+ -hal_system_suspend_server
+ userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+} perfprofd:binder call;
+neverallow perfprofd {
+ domain
+ -hal_system_suspend_server
+ userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+}:binder call;
diff --git a/private/system_server.te b/private/system_server.te
index d1e09be..750ee3e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -208,6 +208,7 @@
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)