From f008c29e473ce3b59a84cdfe7c62df4a46afeb26 Mon Sep 17 00:00:00 2001 From: Dennis Shen Date: Wed, 28 Feb 2024 18:08:10 +0000 Subject: [PATCH] aconfig_storage: setup RO partitions aconfig storage files SELinux policy system, system_ext, product and vendor partitions have aconfig storage files under //etc/aconfig dir. need to grant access to aconfigd. Bug: b/312459182 Test: m and tested with AVD Change-Id: I9750c24ffa26994e4f5deadd9d772e31211a446a --- contexts/plat_file_contexts_test | 4 ++++ private/aconfigd.te | 8 ++++++++ private/domain.te | 1 + private/file.te | 6 ++++++ private/file_contexts | 3 +++ 5 files changed, 22 insertions(+) diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test index b0be7b0cd..9590349ad 100644 --- a/contexts/plat_file_contexts_test +++ b/contexts/plat_file_contexts_test @@ -433,6 +433,7 @@ /system/bin/virtual_touchpad virtual_touchpad_exec /system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec /system/bin/hw/android.system.suspend-service system_suspend_exec +/system/etc/aconfig system_aconfig_storage_file /system/etc/cgroups.json cgroup_desc_file /system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file /system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file @@ -497,6 +498,7 @@ /system/vendor/bin/toolbox vendor_toolbox_exec /vendor/etc vendor_configs_file /vendor/etc/does_not_exist vendor_configs_file +/vendor/etc/aconfig vendor_aconfig_storage_file /system/vendor/etc vendor_configs_file /system/vendor/etc/does_not_exist vendor_configs_file /vendor/etc/cgroups.json vendor_cgroup_desc_file @@ -731,6 +733,8 @@ /system_ext/overlay/does_not_exist vendor_overlay_file /system/system_ext/overlay vendor_overlay_file /system/system_ext/overlay/does_not_exist vendor_overlay_file +/system_ext/etc/aconfig system_aconfig_storage_file +/product/etc/aconfig system_aconfig_storage_file /system_ext/etc/selinux/system_ext_file_contexts file_contexts_file /system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file diff --git a/private/aconfigd.te b/private/aconfigd.te index 0621125bf..43a08ce05 100644 --- a/private/aconfigd.te +++ b/private/aconfigd.te @@ -26,3 +26,11 @@ allow aconfigd aconfigd_socket:sock_file rw_file_perms; # allow aconfigd to log to the kernel. allow aconfigd kmsg_device:chr_file w_file_perms; + +# allow aconfigd to read system/system_ext/product partition storage files +allow aconfigd system_aconfig_storage_file:file r_file_perms; +allow aconfigd system_aconfig_storage_file:dir r_dir_perms; + +# allow aconfigd to read vendor partition storage files +allow aconfigd vendor_aconfig_storage_file:file r_file_perms; +allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; diff --git a/private/domain.te b/private/domain.te index 94e1ad8b4..66bce05e2 100644 --- a/private/domain.te +++ b/private/domain.te @@ -652,6 +652,7 @@ full_treble_only(` -vendor_task_profiles_file -vendor_uuid_mapping_config_file -vndk_sp_file + -vendor_aconfig_storage_file }:file *; ') diff --git a/private/file.te b/private/file.te index 6d8c9233b..c4341af9e 100644 --- a/private/file.te +++ b/private/file.te @@ -151,3 +151,9 @@ type sysfs_uprobe, fs_type, sysfs_type; # Type for aconfig daemon socket type aconfigd_socket, file_type, coredomain_socket; + +# Type for /(system|system_ext|product)/etc/aconfig +type system_aconfig_storage_file, system_file_type, file_type; + +# Type for /vendor/etc/aconfig +type vendor_aconfig_storage_file, vendor_file_type, file_type; diff --git a/private/file_contexts b/private/file_contexts index 807ac448c..63b3d1eff 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -358,6 +358,7 @@ /system/bin/virtual_camera u:object_r:virtual_camera_exec:s0 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0 /system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0 +/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0 /system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0 /system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0 /system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0 @@ -430,6 +431,8 @@ /(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0 /(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0 +/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0 + # HAL location /(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0