From 09d4ccdc4d8cbc6f3c9daf25a491627d2f6de7be Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Tue, 2 Aug 2016 18:14:11 -0700
Subject: [PATCH] sepolicy: Add CAP_WAKE_ALARM to system_server.te

With v4.8+ kernels, CAP_WAKE_ALARM is needed to set
alarmtimers via timerfd (this change is likely to be
backported to stable as well).

However, with selinux enabled, we also need to allow
the capability on the system_server so this enables it.

Change-Id: I7cd64d587906f3fbc8a129d48a4db07373c74c7e
Signed-off-by: John Stultz <john.stultz@linaro.org>
(cherry picked from commit 19b6485f5ed005f1ae9b5ba06b3baca4639a4c83)
---
 system_server.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_server.te b/system_server.te
index 558770ba2..5f72ae038 100644
--- a/system_server.te
+++ b/system_server.te
@@ -64,6 +64,9 @@ wakelock_use(system_server)
 # Trigger module auto-load.
 allow system_server kernel:system module_request;
 
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
-- 
GitLab