Restrict access to suspend control Test: m selinux_policy Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24

commit: 131fa73add5fbc6d3373b496d7f4546167ab7403 [log] [tgz]
author: Tri Vo <trong@google.com> Thu Feb 07 13:29:39 2019 -0800
committer: Tri Vo <trong@google.com> Thu Mar 07 18:31:58 2019 +0000
tree: c32f70e9e34b9823cfb8a22ef323b7108e4d821f
parent: d99b7fd3f9be1c7ad2b434042e37db4e0cb41c54 [diff]
diff --git a/private/system_app.te b/private/system_app.te
index 27e8ef1..38e7938 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -80,6 +80,7 @@
   -iorapd_service
   -ipmemorystore_service
   -netd_service
+  -system_suspend_control_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service

diff --git a/private/system_suspend.te b/private/system_suspend.te
index 1ed24bb..e93a73d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -9,3 +9,12 @@
 
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
+
+neverallow {
+    domain
+    -atrace # tracing
+    -dumpstate # bug reports
+    -system_suspend # implements system_suspend_control_service
+    -system_server # configures system_suspend via ISuspendControlService
+    -traceur_app # tracing
+} system_suspend_control_service:service_manager find;

diff --git a/public/shell.te b/public/shell.te
index 4f6bda5..42a19b0 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -116,6 +116,7 @@
   -installd_service
   -iorapd_service
   -netd_service
+  -system_suspend_control_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
commit	131fa73add5fbc6d3373b496d7f4546167ab7403	[log] [tgz]
author	Tri Vo <trong@google.com>	Thu Feb 07 13:29:39 2019 -0800
committer	Tri Vo <trong@google.com>	Thu Mar 07 18:31:58 2019 +0000
tree	c32f70e9e34b9823cfb8a22ef323b7108e4d821f
parent	d99b7fd3f9be1c7ad2b434042e37db4e0cb41c54 [diff]