Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.
Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e
77eb3526 · Sharvil Nanavati · 596bcc76 · 77eb3526 · 77eb3526
Commit 77eb3526 authored 10 years ago by Sharvil Nanavati
--- a/app.te
+++ b/app.te
@@ -185,9 +185,9 @@ use_keystore(appdomain)
 ###

 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { appdomain -unconfineddomain } self:capability2 *;
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability2 *;

 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };

--- a/bluetooth.te
+++ b/bluetooth.te
@@ -28,6 +28,7 @@ allow bluetoothdomain self:socket create_socket_perms;
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;

 # Allow clients to use a socket provided by the bluetooth app.
 # TODO:  See if this is still required under bluedroid.
@@ -55,5 +56,6 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set;
 ###

 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability2 ~wake_alarm;