diff options
| author | Ever Rosales <everrosales@google.com> | 2022-06-01 09:12:53 +0000 |
|---|---|---|
| committer | Ever Rosales <everrosales@google.com> | 2022-06-07 18:13:53 +0000 |
| commit | 8dc87548dccf3ba780dd9ced90c578e61ce362e4 (patch) | |
| tree | 65193babfc8f2c960ca128317ea022aacfe014bd | |
| parent | 63cfe41fd230f69e4139160203d7e4fd0c4eb859 (diff) | |
| download | pixel-sepolicy-8dc87548dccf3ba780dd9ced90c578e61ce362e4.tar.gz | |
Adding new CTPM sepolicy and domain.
Right now the ConnectivityThermalPowerManager is part of the
platform_app sepolicy domain. platform_app's don't have access to the
power_stats_hal. So following the security principle of least privilege
we need to define our own domain with the permissions we previously had
as part of the old domain.
Test: Compiled and loaded onto device and saw no "avc: denied" sepolicy
errors
Bug: 202028512
Ignore-AOSP-First: CTPM is a pixel only feature for thermal / power
mitigation
Change-Id: I140b704fc39959ba683c09ebe9ea65f7bf94452b
| -rw-r--r-- | connectivity_thermal_power_manager/connectivity_thermal_power_manager.te | 15 | ||||
| -rw-r--r-- | connectivity_thermal_power_manager/seapp_contexts | 1 |
2 files changed, 16 insertions, 0 deletions
diff --git a/connectivity_thermal_power_manager/connectivity_thermal_power_manager.te b/connectivity_thermal_power_manager/connectivity_thermal_power_manager.te new file mode 100644 index 0000000..54b2e8c --- /dev/null +++ b/connectivity_thermal_power_manager/connectivity_thermal_power_manager.te @@ -0,0 +1,15 @@ +# platform_apps cannot access PowerHAL, so we need to define our own domain. +# Since we're defining and moving CTPM to its own domain, we need to assign +# all of the previous permissions that we had as a platform_app + +type connectivity_thermal_power_manager, domain, coredomain, system_suspend_internal_server; + +app_domain(connectivity_thermal_power_manager) + +# register previous permissions we had as a platform_app +allow connectivity_thermal_power_manager radio_service:service_manager find; +allow connectivity_thermal_power_manager app_api_service:service_manager find; +allow connectivity_thermal_power_manager system_api_service:service_manager find; + +# access power stats +hal_client_domain(connectivity_thermal_power_manager, hal_power_stats); diff --git a/connectivity_thermal_power_manager/seapp_contexts b/connectivity_thermal_power_manager/seapp_contexts new file mode 100644 index 0000000..28b2e0c --- /dev/null +++ b/connectivity_thermal_power_manager/seapp_contexts @@ -0,0 +1 @@ +user=_app seinfo=platform name=com.google.android.connectivitythermalpowermanager domain=connectivity_thermal_power_manager type=app_data_file levelFrom=all |