From 8599e34b95705638034b798c56bc2cc8bb2e6372 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 23 May 2014 13:33:32 -0700
Subject: [PATCH] Introduce wakelock_use()

Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
---
 healthd.te       |  2 +-
 rild.te          |  2 +-
 system_server.te |  5 +----
 te_macros        | 10 ++++++++++
 vold.te          |  3 +--
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/healthd.te b/healthd.te
index 224090edf..dd49e4e9b 100644
--- a/healthd.te
+++ b/healthd.te
@@ -9,7 +9,7 @@ write_klog(healthd)
 allow healthd tmpfs:chr_file { read write };
 
 allow healthd self:capability { net_admin mknod sys_tty_config };
-allow healthd self:capability2 block_suspend;
+wakelock_use(healthd)
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
 binder_use(healthd)
 binder_service(healthd)
diff --git a/rild.te b/rild.te
index 6d2cd3884..f272862ca 100644
--- a/rild.te
+++ b/rild.te
@@ -39,6 +39,6 @@ allow rild self:netlink_socket create_socket_perms;
 allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks
-allow rild sysfs_wake_lock:file rw_file_perms;
+wakelock_use(rild)
 
 allow rild self:socket create_socket_perms;
diff --git a/system_server.te b/system_server.te
index 81e31fcfc..4b8e38490 100644
--- a/system_server.te
+++ b/system_server.te
@@ -53,7 +53,7 @@ allow system_server self:capability {
     sys_tty_config
 };
 
-allow system_server self:capability2 block_suspend;
+wakelock_use(system_server)
 
 # Triggered by /proc/pid accesses, not allowed.
 dontaudit system_server self:capability sys_ptrace;
@@ -316,9 +316,6 @@ allow system_server sensors_device:chr_file rw_file_perms;
 # Read from HW RNG (needed by EntropyMixer).
 allow system_server hw_random_device:chr_file r_file_perms;
 
-# Access to wake locks
-allow system_server sysfs_wake_lock:file rw_file_perms;
-
 # Read and delete files under /dev/fscklogs.
 r_dir_file(system_server, fscklogs)
 allow system_server fscklogs:dir { write remove_name };
diff --git a/te_macros b/te_macros
index ecdf8b4f8..fb6cdae1c 100644
--- a/te_macros
+++ b/te_macros
@@ -173,6 +173,16 @@ define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')
 
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:capability2 block_suspend;
+')
+
 #####################################
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
diff --git a/vold.te b/vold.te
index 7fbba76ed..30cd9d2b5 100644
--- a/vold.te
+++ b/vold.te
@@ -77,8 +77,7 @@ allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
 allow vold asec_public_file:file { relabelto setattr };
 
 # Handle wake locks (used for device encryption)
-allow vold sysfs_wake_lock:file rw_file_perms;
-allow vold self:capability2 block_suspend;
+wakelock_use(vold)
 
 # talk to batteryservice
 binder_use(vold)