Introduce wakelock_use()
Introduce wakelock_use(). This macro declares that a domain uses wakelocks. Wakelocks require both read-write access to files in /sys/power, and CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and file access are granted at the same time. Still TODO: fix device specific wakelock use. Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
This commit is contained in:
Nick Kralevich
parent
ccb9f7a100
commit
8599e34b95
5 changed files with 14 additions and 8 deletions
|
|
@ -9,7 +9,7 @@ write_klog(healthd)
|
|||
allow healthd tmpfs:chr_file { read write };
|
||||
|
||||
allow healthd self:capability { net_admin mknod sys_tty_config };
|
||||
allow healthd self:capability2 block_suspend;
|
||||
wakelock_use(healthd)
|
||||
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
binder_use(healthd)
|
||||
binder_service(healthd)
|
||||
|
|
|
|||
2
rild.te
2
rild.te
|
|
@ -39,6 +39,6 @@ allow rild self:netlink_socket create_socket_perms;
|
|||
allow rild self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
# Access to wake locks
|
||||
allow rild sysfs_wake_lock:file rw_file_perms;
|
||||
wakelock_use(rild)
|
||||
|
||||
allow rild self:socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ allow system_server self:capability {
|
|||
sys_tty_config
|
||||
};
|
||||
|
||||
allow system_server self:capability2 block_suspend;
|
||||
wakelock_use(system_server)
|
||||
|
||||
# Triggered by /proc/pid accesses, not allowed.
|
||||
dontaudit system_server self:capability sys_ptrace;
|
||||
|
|
@ -316,9 +316,6 @@ allow system_server sensors_device:chr_file rw_file_perms;
|
|||
# Read from HW RNG (needed by EntropyMixer).
|
||||
allow system_server hw_random_device:chr_file r_file_perms;
|
||||
|
||||
# Access to wake locks
|
||||
allow system_server sysfs_wake_lock:file rw_file_perms;
|
||||
|
||||
# Read and delete files under /dev/fscklogs.
|
||||
r_dir_file(system_server, fscklogs)
|
||||
allow system_server fscklogs:dir { write remove_name };
|
||||
|
|
|
|||
10
te_macros
10
te_macros
|
|
@ -173,6 +173,16 @@ define(`binder_service', `
|
|||
typeattribute $1 binderservicedomain;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# wakelock_use(domain)
|
||||
# Allow domain to manage wake locks
|
||||
define(`wakelock_use', `
|
||||
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
||||
allow $1 sysfs_wake_lock:file rw_file_perms;
|
||||
# Accessing these files requires CAP_BLOCK_SUSPEND
|
||||
allow $1 self:capability2 block_suspend;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# selinux_check_access(domain)
|
||||
# Allow domain to check SELinux permissions via selinuxfs.
|
||||
|
|
|
|||
3
vold.te
3
vold.te
|
|
@ -77,8 +77,7 @@ allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
|
|||
allow vold asec_public_file:file { relabelto setattr };
|
||||
|
||||
# Handle wake locks (used for device encryption)
|
||||
allow vold sysfs_wake_lock:file rw_file_perms;
|
||||
allow vold self:capability2 block_suspend;
|
||||
wakelock_use(vold)
|
||||
|
||||
# talk to batteryservice
|
||||
binder_use(vold)
|
||||
|
|
|
|||
Loading…
Reference in a new issue