platform_system_sepolicy/private/aconfigd.te

# aconfigd -- manager for aconfig flags
type aconfigd, domain;
type aconfigd_exec, exec_type, file_type, system_file_type;

typeattribute aconfigd coredomain;

init_daemon_domain(aconfigd)

# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;

allow aconfigd metadata_file:dir search;

allow aconfigd {
    aconfig_storage_metadata_file
    aconfig_storage_flags_metadata_file
}:dir create_dir_perms;

allow aconfigd {
    aconfig_storage_metadata_file
    aconfig_storage_flags_metadata_file
}:file create_file_perms;

allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
allow aconfigd aconfigd_socket:sock_file rw_file_perms;

# allow aconfigd to access shell_data_file for atest
userdebug_or_eng(`
    allow aconfigd shell_data_file:dir search;
    allow aconfigd shell_data_file:file { getattr read open map };
')

# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms;

# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;

# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
aconfigd: create aconfig daemon selinux policy Bug: b/312444587 Test: m and launch avd Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9 2024-02-25 16:44:51 +01:00			`# aconfigd -- manager for aconfig flags`
			`type aconfigd, domain;`
			`type aconfigd_exec, exec_type, file_type, system_file_type;`

			`typeattribute aconfigd coredomain;`

			`init_daemon_domain(aconfigd)`

			`# only init is allowed to enter the aconfigd domain`
			`neverallow { domain -init } aconfigd:process transition;`
			`neverallow * aconfigd:process dyntransition;`

			`allow aconfigd metadata_file:dir search;`

			`allow aconfigd {`
			`aconfig_storage_metadata_file`
			`aconfig_storage_flags_metadata_file`
			`}:dir create_dir_perms;`

			`allow aconfigd {`
			`aconfig_storage_metadata_file`
			`aconfig_storage_flags_metadata_file`
			`}:file create_file_perms;`

update aconfigd selinux policy For aconfigd test, for atest to work, the shell domain needs to be able to connect to aconfigd_socket. In addition, aconfigd needs to be able to access the test storage files as shell_data_file. All these policies are only needed for userdebug_or_eng build. Bug: 312459182 Test: m, launch avd, atest, then audit2allow, no avc denials found Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c 2024-03-19 03:33:00 +01:00			`allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };`
aconfigd: create aconfig daemon selinux policy Bug: b/312444587 Test: m and launch avd Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9 2024-02-25 16:44:51 +01:00			`allow aconfigd aconfigd_socket:sock_file rw_file_perms;`

update aconfigd selinux policy For aconfigd test, for atest to work, the shell domain needs to be able to connect to aconfigd_socket. In addition, aconfigd needs to be able to access the test storage files as shell_data_file. All these policies are only needed for userdebug_or_eng build. Bug: 312459182 Test: m, launch avd, atest, then audit2allow, no avc denials found Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c 2024-03-19 03:33:00 +01:00			`# allow aconfigd to access shell_data_file for atest`
			userdebug_or_eng(`
			`allow aconfigd shell_data_file:dir search;`
allow aconfigd to mmap test storage files Bug: b/312459182 Test: atest aconfigd_test Change-Id: Ia4ee6606e3e8721e4ed22c63ac7046f9511be2b9 2024-03-21 19:58:11 +01:00			`allow aconfigd shell_data_file:file { getattr read open map };`
update aconfigd selinux policy For aconfigd test, for atest to work, the shell domain needs to be able to connect to aconfigd_socket. In addition, aconfigd needs to be able to access the test storage files as shell_data_file. All these policies are only needed for userdebug_or_eng build. Bug: 312459182 Test: m, launch avd, atest, then audit2allow, no avc denials found Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c 2024-03-19 03:33:00 +01:00			`')`

aconfigd: create aconfig daemon selinux policy Bug: b/312444587 Test: m and launch avd Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9 2024-02-25 16:44:51 +01:00			`# allow aconfigd to log to the kernel.`
			`allow aconfigd kmsg_device:chr_file w_file_perms;`
aconfig_storage: setup RO partitions aconfig storage files SELinux policy system, system_ext, product and vendor partitions have aconfig storage files under /<partition>/etc/aconfig dir. need to grant access to aconfigd. Bug: b/312459182 Test: m and tested with AVD Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a 2024-02-28 19:08:10 +01:00
			`# allow aconfigd to read vendor partition storage files`
			`allow aconfigd vendor_aconfig_storage_file:file r_file_perms;`
			`allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;`
selinux: allow aconfig to read /aepx Bug: b/312444587 Test: m and avd Change-Id: I6ac81dd211ad7669952f97f9541c44e14680bec6 2024-05-17 19:24:20 +02:00
			`# allow aconfigd to read /apex dir`
			`allow aconfigd apex_mnt_dir:dir r_dir_perms;`
			`allow aconfigd apex_mnt_dir:file r_file_perms;`