tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Introduce wakelock_use()

Browse source 
Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
This commit is contained in:
Nick Kralevich 2014-05-23 13:33:32 -07:00
parent ccb9f7a100
commit 8599e34b95
5 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
healthd.te
View file

@ -9,7 +9,7 @@ write_klog(healthd)
allow healthd tmpfs:chr_file { read write }; allow healthd tmpfs:chr_file { read write };
allow healthd self:capability { net_admin mknod sys_tty_config }; allow healthd self:capability { net_admin mknod sys_tty_config };
allow healthd self:capability2 block_suspend; wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms; allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd) binder_use(healthd)
binder_service(healthd) binder_service(healthd)

2
rild.te
View file

@ -39,6 +39,6 @@ allow rild self:netlink_socket create_socket_perms;
allow rild self:netlink_kobject_uevent_socket create_socket_perms; allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks # Access to wake locks
allow rild sysfs_wake_lock:file rw_file_perms; wakelock_use(rild)
allow rild self:socket create_socket_perms; allow rild self:socket create_socket_perms;

5
system_server.te
View file

@ -53,7 +53,7 @@ allow system_server self:capability {
sys_tty_config sys_tty_config
}; };
allow system_server self:capability2 block_suspend; wakelock_use(system_server)
# Triggered by /proc/pid accesses, not allowed. # Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace; dontaudit system_server self:capability sys_ptrace;
@ -316,9 +316,6 @@ allow system_server sensors_device:chr_file rw_file_perms;
# Read from HW RNG (needed by EntropyMixer). # Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms; allow system_server hw_random_device:chr_file r_file_perms;
# Access to wake locks
allow system_server sysfs_wake_lock:file rw_file_perms;
# Read and delete files under /dev/fscklogs. # Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs) r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name }; allow system_server fscklogs:dir { write remove_name };

10
te_macros
View file

@ -173,6 +173,16 @@ define(`binder_service', `
typeattribute $1 binderservicedomain; typeattribute $1 binderservicedomain;
') ')
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:capability2 block_suspend;
')
##################################### #####################################
# selinux_check_access(domain) # selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs. # Allow domain to check SELinux permissions via selinuxfs.

3
vold.te
View file

@ -77,8 +77,7 @@ allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
allow vold asec_public_file:file { relabelto setattr }; allow vold asec_public_file:file { relabelto setattr };
# Handle wake locks (used for device encryption) # Handle wake locks (used for device encryption)
allow vold sysfs_wake_lock:file rw_file_perms; wakelock_use(vold)
allow vold self:capability2 block_suspend;
# talk to batteryservice # talk to batteryservice
binder_use(vold) binder_use(vold)