From 2659257c76a96bdae5ab59ecec790c7af5efa469 Mon Sep 17 00:00:00 2001
From: Dennis Shen <dzshen@google.com>
Date: Sun, 25 Feb 2024 15:44:51 +0000
Subject: [PATCH] aconfigd: create aconfig daemon selinux policy

Bug: b/312444587
Test: m and launch avd
Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9
---
 contexts/plat_file_contexts_test    |  2 ++
 private/aconfigd.te                 | 28 ++++++++++++++++++++++++++++
 private/compat/34.0/34.0.ignore.cil |  3 +++
 private/domain.te                   |  4 ++++
 private/file.te                     |  3 +++
 private/file_contexts               |  2 ++
 private/system_server.te            |  5 ++---
 public/domain.te                    |  5 -----
 8 files changed, 44 insertions(+), 8 deletions(-)
 create mode 100644 private/aconfigd.te

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c799171b1..b0be7b0cd 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -189,6 +189,7 @@
 /dev/socket                                                       socket_device
 /dev/socket/does_not_exist                                        socket_device
 /dev/socket/adbd                                                  adbd_socket
+/dev/socket/aconfigd                                              aconfigd_socket
 /dev/socket/dnsproxyd                                             dnsproxyd_socket
 /dev/socket/dumpstate                                             dumpstate_socket
 /dev/socket/fwmarkd                                               fwmarkd_socket
@@ -462,6 +463,7 @@
 /system/usr/share/zoneinfo                                        system_zoneinfo_file
 /system/usr/share/zoneinfo/0                                      system_zoneinfo_file
 /system/bin/adbd                                                  adbd_exec
+/system/bin/aconfigd                                              aconfigd_exec
 /system/bin/vold_prepare_subdirs                                  vold_prepare_subdirs_exec
 /system/bin/stats                                                 stats_exec
 /system/bin/statsd                                                statsd_exec
diff --git a/private/aconfigd.te b/private/aconfigd.te
new file mode 100644
index 000000000..0621125bf
--- /dev/null
+++ b/private/aconfigd.te
@@ -0,0 +1,28 @@
+# aconfigd -- manager for aconfig flags
+type aconfigd, domain;
+type aconfigd_exec, exec_type, file_type, system_file_type;
+
+typeattribute aconfigd coredomain;
+
+init_daemon_domain(aconfigd)
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+allow aconfigd metadata_file:dir search;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+
+# allow aconfigd to log to the kernel.
+allow aconfigd kmsg_device:chr_file w_file_perms;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 351d647a1..ec25aa1d7 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -45,4 +45,7 @@
     profiling_service
     aconfig_storage_metadata_file
     aconfig_storage_flags_metadata_file
+    aconfigd
+    aconfigd_exec
+    aconfigd_socket
   ))
diff --git a/private/domain.te b/private/domain.te
index 59e30c8b8..94e1ad8b4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -808,3 +808,7 @@ neverallow { domain -init } mtectrl:process { dyntransition transition };
 
 # For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
+
+# Do not allow write access to aconfig flag value files except init and aconfigd
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/private/file.te b/private/file.te
index 24c118acd..6d8c9233b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -148,3 +148,6 @@ type system_font_fallback_file, system_file_type, file_type;
 
 # Type for /sys/devices/uprobe.
 type sysfs_uprobe, fs_type, sysfs_type;
+
+# Type for aconfig daemon socket
+type aconfigd_socket, file_type, coredomain_socket;
diff --git a/private/file_contexts b/private/file_contexts
index b9d661a7a..807ac448c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
+/dev/socket/aconfigd	u:object_r:aconfigd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
 /dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
@@ -386,6 +387,7 @@
 /system/bin/bpfloader            u:object_r:bpfloader_exec:s0
 /system/bin/netbpfload           u:object_r:bpfloader_exec:s0
 /system/bin/watchdogd            u:object_r:watchdogd_exec:s0
+/system/bin/aconfigd             u:object_r:aconfigd_exec:s0
 /system/bin/apexd                u:object_r:apexd_exec:s0
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf           u:object_r:simpleperf_exec:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5b0caaa9c..f76216c74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1527,9 +1527,8 @@ neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
 neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
 
 # Only system server should access /metadata/aconfig
-# TODO: add storage daemon to neverallow exception when it is introduced
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
 
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
diff --git a/public/domain.te b/public/domain.te
index 755b4b248..8374803f0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -629,11 +629,6 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# Do not allow write access to the general aconfig pb file and boot flag value files except init
-# TODO: need to add storage daemon into this exception list once it is created
-neverallow { domain -init } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
-
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.