aconfigd: create aconfig daemon selinux policy Bug: b/312444587 Test: m and launch avd Change-Id: I0156a9dee05139ec84541e0dff2f95285c97cfb9

commit: 2659257c76a96bdae5ab59ecec790c7af5efa469 [log] [tgz]
author: Dennis Shen <dzshen@google.com> Sun Feb 25 15:44:51 2024 +0000
committer: Dennis Shen <dzshen@google.com> Mon Feb 26 19:58:48 2024 +0000
tree: 55cc605b1499c8f09b7b813e406dbda80915f7f0
parent: 96ba523a8dc9459d52345d6525771644aa4a96d8 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 5b0caaa..f76216c 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1527,9 +1527,8 @@
 neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
 
 # Only system server should access /metadata/aconfig
-# TODO: add storage daemon to neverallow exception when it is introduced
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
 
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
commit	2659257c76a96bdae5ab59ecec790c7af5efa469	[log] [tgz]
author	Dennis Shen <dzshen@google.com>	Sun Feb 25 15:44:51 2024 +0000
committer	Dennis Shen <dzshen@google.com>	Mon Feb 26 19:58:48 2024 +0000
tree	55cc605b1499c8f09b7b813e406dbda80915f7f0
parent	96ba523a8dc9459d52345d6525771644aa4a96d8 [diff] [blame]