commit 27783693c0fa14d6052d8ff504e8c06758046511
author Dennis Shen <dzshen@google.com> Thu Sep 26 13:56:08 2024 +0000
committer Dennis Shen <dzshen@google.com> Wed Dec 04 01:19:36 2024 +0000
tree 34c97f3e5666f1547c44aa8b6814c5e5778f7d8f
parent 43ce26ab2b26e2c7fdd20a5879e5b848d5188f4b

SELinux update to support aconfigd_mainline process

Context: Currently, aconfigd which manages aconfig flags on device is a
/system process. To support better updatability, a new aconfig storage
daemon will be created on the config infra mainline module, called
aconfigd_mainline. This new daemon bears the responsibility of managing
mainline aconfig storage files as well as providing a socket service for
server and local flag value override. The system aconfigd will only be
responsible for managing platform aconfig flags after this
transition.

Therefore we are making the following SELinux changes:

1, A new binary called aconfigd_mainline is created under config infra
mainline module, provide the file context definition in the module
file_contexts file.

2, Create a SELinux policy for aconfigd_mainline under private dir. It a
copy of system aconfigd policy (aconfigd.te). When the transition is
complete, several allow clause will be removed from aconfigd.te.

3, Clean up persist and boot storage file access never allow rule.
Previously, never allow rules are defined in both domain.te and
system_server.te. Now they are merged in domain.te. In addition,
system_server no longer needs the access, removing it from exception
list.

Bug: 369812588
Test: m and launch avd, verify from logcat log that we can successfully
launch aconfigd_mainline process

Change-Id: Id9497847de2b3ca0b3dfd98e38252ae4a6c48993

private/aconfigd_mainline.te

diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;