a2b17ab856
Read access to this file is needed by any process that reads flags. For now, exclude access to vendors. Bug: 328444881 Test: m Change-Id: I1899d2a0c61a6286fc285a532244730ad1e4a0fc
39 lines
1.2 KiB
Text
39 lines
1.2 KiB
Text
# aconfigd -- manager for aconfig flags
|
|
type aconfigd, domain;
|
|
type aconfigd_exec, exec_type, file_type, system_file_type;
|
|
|
|
typeattribute aconfigd coredomain;
|
|
|
|
init_daemon_domain(aconfigd)
|
|
|
|
# only init is allowed to enter the aconfigd domain
|
|
neverallow { domain -init } aconfigd:process transition;
|
|
neverallow * aconfigd:process dyntransition;
|
|
|
|
allow aconfigd metadata_file:dir search;
|
|
|
|
allow aconfigd {
|
|
aconfig_storage_metadata_file
|
|
aconfig_storage_flags_metadata_file
|
|
}:dir create_dir_perms;
|
|
|
|
allow aconfigd {
|
|
aconfig_storage_metadata_file
|
|
aconfig_storage_flags_metadata_file
|
|
}:file create_file_perms;
|
|
|
|
allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
|
|
allow aconfigd aconfigd_socket:sock_file rw_file_perms;
|
|
|
|
# allow aconfigd to access shell_data_file for atest
|
|
userdebug_or_eng(`
|
|
allow aconfigd shell_data_file:dir search;
|
|
allow aconfigd shell_data_file:file { getattr read open map };
|
|
')
|
|
|
|
# allow aconfigd to log to the kernel.
|
|
allow aconfigd kmsg_device:chr_file w_file_perms;
|
|
|
|
# allow aconfigd to read vendor partition storage files
|
|
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
|
|
allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
|