SELinux update to support aconfigd_mainline process
Context: Currently, aconfigd which manages aconfig flags on device is a
/system process. To support better updatability, a new aconfig storage
daemon will be created on the config infra mainline module, called
aconfigd_mainline. This new daemon bears the responsibility of managing
mainline aconfig storage files as well as providing a socket service for
server and local flag value override. The system aconfigd will only be
responsible for managing platform aconfig flags after this
transition.
Therefore we are making the following SELinux changes:
1, A new binary called aconfigd_mainline is created under config infra
mainline module, provide the file context definition in the module
file_contexts file.
2, Create a SELinux policy for aconfigd_mainline under private dir. It a
copy of system aconfigd policy (aconfigd.te). When the transition is
complete, several allow clause will be removed from aconfigd.te.
3, Clean up persist and boot storage file access never allow rule.
Previously, never allow rules are defined in both domain.te and
system_server.te. Now they are merged in domain.te. In addition,
system_server no longer needs the access, removing it from exception
list.
Bug: 369812588
Test: m and launch avd, verify from logcat log that we can successfully
launch aconfigd_mainline process
Change-Id: Id9497847de2b3ca0b3dfd98e38252ae4a6c48993
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
index 23e7b89..de74547 100644
--- a/apex/com.android.configinfrastructure-file_contexts
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
\ No newline at end of file
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0