commit 27783693c0fa14d6052d8ff504e8c06758046511
author Dennis Shen <dzshen@google.com> Thu Sep 26 13:56:08 2024 +0000
committer Dennis Shen <dzshen@google.com> Wed Dec 04 01:19:36 2024 +0000
tree 34c97f3e5666f1547c44aa8b6814c5e5778f7d8f
parent 43ce26ab2b26e2c7fdd20a5879e5b848d5188f4b

SELinux update to support aconfigd_mainline process

Context: Currently, aconfigd which manages aconfig flags on device is a
/system process. To support better updatability, a new aconfig storage
daemon will be created on the config infra mainline module, called
aconfigd_mainline. This new daemon bears the responsibility of managing
mainline aconfig storage files as well as providing a socket service for
server and local flag value override. The system aconfigd will only be
responsible for managing platform aconfig flags after this
transition.

Therefore we are making the following SELinux changes:

1, A new binary called aconfigd_mainline is created under config infra
mainline module, provide the file context definition in the module
file_contexts file.

2, Create a SELinux policy for aconfigd_mainline under private dir. It a
copy of system aconfigd policy (aconfigd.te). When the transition is
complete, several allow clause will be removed from aconfigd.te.

3, Clean up persist and boot storage file access never allow rule.
Previously, never allow rules are defined in both domain.te and
system_server.te. Now they are merged in domain.te. In addition,
system_server no longer needs the access, removing it from exception
list.

Bug: 369812588
Test: m and launch avd, verify from logcat log that we can successfully
launch aconfigd_mainline process

Change-Id: Id9497847de2b3ca0b3dfd98e38252ae4a6c48993

private/aconfigd.te

diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..7a46959 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -16,12 +16,6 @@
     aconfig_storage_flags_metadata_file
 }:file create_file_perms;
 
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
-    allow aconfigd shell_data_file:dir search;
-    allow aconfigd shell_data_file:file { getattr read open map };
-')
-
 # allow aconfigd to log to the kernel dmesg via a file descriptor
 # passed from init to aconfigd
 allow aconfigd kmsg_device:chr_file write;
@@ -41,3 +35,35 @@
 # only init is allowed to enter the aconfigd domain
 neverallow { domain -init } aconfigd:process transition;
 neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+  domain
+  -init
+  -aconfigd
+  -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+  domain
+  -init
+  -aconfigd
+  -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+  domain
+  -init
+  -aconfigd
+  -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+  domain
+  -init
+  -aconfigd
+  -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;