Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main am: 3041c33c91

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2982791

Change-Id: I3c601bb71699e80fb052b9d5c087fe792ec87f52
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Dennis Shen 2024-02-29 19:32:49 +00:00 committed by Automerger Merge Worker
commit 1bfa2552ad
5 changed files with 22 additions and 0 deletions

View file

@ -433,6 +433,7 @@
/system/bin/virtual_touchpad virtual_touchpad_exec /system/bin/virtual_touchpad virtual_touchpad_exec
/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec /system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
/system/bin/hw/android.system.suspend-service system_suspend_exec /system/bin/hw/android.system.suspend-service system_suspend_exec
/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file /system/etc/cgroups.json cgroup_desc_file
/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file /system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file /system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
@ -497,6 +498,7 @@
/system/vendor/bin/toolbox vendor_toolbox_exec /system/vendor/bin/toolbox vendor_toolbox_exec
/vendor/etc vendor_configs_file /vendor/etc vendor_configs_file
/vendor/etc/does_not_exist vendor_configs_file /vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/aconfig vendor_aconfig_storage_file
/system/vendor/etc vendor_configs_file /system/vendor/etc vendor_configs_file
/system/vendor/etc/does_not_exist vendor_configs_file /system/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/cgroups.json vendor_cgroup_desc_file /vendor/etc/cgroups.json vendor_cgroup_desc_file
@ -731,6 +733,8 @@
/system_ext/overlay/does_not_exist vendor_overlay_file /system_ext/overlay/does_not_exist vendor_overlay_file
/system/system_ext/overlay vendor_overlay_file /system/system_ext/overlay vendor_overlay_file
/system/system_ext/overlay/does_not_exist vendor_overlay_file /system/system_ext/overlay/does_not_exist vendor_overlay_file
/system_ext/etc/aconfig system_aconfig_storage_file
/product/etc/aconfig system_aconfig_storage_file
/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file /system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file /system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file

View file

@ -26,3 +26,11 @@ allow aconfigd aconfigd_socket:sock_file rw_file_perms;
# allow aconfigd to log to the kernel. # allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms; allow aconfigd kmsg_device:chr_file w_file_perms;
# allow aconfigd to read system/system_ext/product partition storage files
allow aconfigd system_aconfig_storage_file:file r_file_perms;
allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;

View file

@ -652,6 +652,7 @@ full_treble_only(`
-vendor_task_profiles_file -vendor_task_profiles_file
-vendor_uuid_mapping_config_file -vendor_uuid_mapping_config_file
-vndk_sp_file -vndk_sp_file
-vendor_aconfig_storage_file
}:file *; }:file *;
') ')

View file

@ -151,3 +151,9 @@ type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket # Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket; type aconfigd_socket, file_type, coredomain_socket;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;

View file

@ -358,6 +358,7 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0 /system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0 /system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0 /system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0 /system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0 /system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@ -430,6 +431,8 @@
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0 /(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0 /(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
# HAL location # HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 /(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0