type system_suspend, domain, coredomain, system_suspend_server;

type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)

# To serve ISuspendControlService.aidl.
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)

# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;

# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
allow system_suspend self:global_capability2_class_set block_suspend;
allow system_suspend sysfs_wake_lock:file rw_file_perms;

neverallow {
    domain
    -atrace # tracing
    -dumpstate # bug reports
    -system_suspend # implements system_suspend_control_service
    -system_server # configures system_suspend via ISuspendControlService
    -traceur_app # tracing
} system_suspend_control_service:service_manager find;