commit 2659257c76a96bdae5ab59ecec790c7af5efa469
author Dennis Shen <dzshen@google.com> Sun Feb 25 15:44:51 2024 +0000
committer Dennis Shen <dzshen@google.com> Mon Feb 26 19:58:48 2024 +0000
tree 55cc605b1499c8f09b7b813e406dbda80915f7f0
parent 96ba523a8dc9459d52345d6525771644aa4a96d8

aconfigd: create aconfig daemon selinux policy

Bug: b/312444587
Test: m and launch avd
Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9

private/aconfigd.te

diff --git a/private/aconfigd.te b/private/aconfigd.te
new file mode 100644
index 0000000..0621125
--- /dev/null
+++ b/private/aconfigd.te
@@ -0,0 +1,28 @@
+# aconfigd -- manager for aconfig flags
+type aconfigd, domain;
+type aconfigd_exec, exec_type, file_type, system_file_type;
+
+typeattribute aconfigd coredomain;
+
+init_daemon_domain(aconfigd)
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+allow aconfigd metadata_file:dir search;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+
+# allow aconfigd to log to the kernel.
+allow aconfigd kmsg_device:chr_file w_file_perms;