Restrict access to suspend control

Test: m selinux_policy
Change-Id: Ieccfd2aa059da065ace4f2db1b9634c52dd2cb24

private/system_app.te

@@ -80,6 +80,7 @@ allow system_app {
   -iorapd_service
   -ipmemorystore_service
   -netd_service
+  -system_suspend_control_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service

private/system_suspend.te

@@ -9,3 +9,12 @@ add_service(system_suspend, system_suspend_control_service)
 
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
+
+neverallow {
+    domain
+    -atrace # tracing
+    -dumpstate # bug reports
+    -system_suspend # implements system_suspend_control_service
+    -system_server # configures system_suspend via ISuspendControlService
+    -traceur_app # tracing
+} system_suspend_control_service:service_manager find;

public/shell.te

@@ -116,6 +116,7 @@ allow shell {
   -installd_service
   -iorapd_service
   -netd_service
+  -system_suspend_control_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service