aconfigd: cleanup
Various cleanups of aconfigd
1) Remove unnecessary aconfigd permissions for /dev/kmsg.
This file descriptor is opened by init and passed to the process,
so permissions like "open" are not needed. The only permission
needed is "write".
2) Get rid of aconfigd's ability to connect to its own
/dev/socket/aconfigd socket.
A process connecting to itself is unlikely to be useful and most
likely indicates a bug. I'm struggling to imagine situations where
such recursive connections would be useful. This appears to be an
artifact of early aconfigd bringup and unused by current code.
3) Move neverallow assertions
By convention, SELinux neverallow assertions go at the end of the
relevant *.te file.
4) Move typeattribute to type line
This makes the policy simpler to read.
5) Remove shell access to the aconfigd socket.
This was already surrounded by a userdebug_or_eng block. Remove
it entirely from policy to avoid confusion and reduce build-time
variation of SELinux policy rules.
Bug: 370499640
Test: Build compiles and boots with no SELinux errors
Test: adb root && \
m aconfigd_socket_test && \
adb sync data && \
adb shell /data/nativetest64/aconfigd_socket_test/aconfigd_socket_test
Change-Id: I29d9d160cbd7223771cb8ae17d9e477d5d5b8ac6
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 97e7493..1601e61 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,15 +1,9 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain;
+type aconfigd, domain, coredomain;
type aconfigd_exec, exec_type, file_type, system_file_type;
-typeattribute aconfigd coredomain;
-
init_daemon_domain(aconfigd)
-# only init is allowed to enter the aconfigd domain
-neverallow { domain -init } aconfigd:process transition;
-neverallow * aconfigd:process dyntransition;
-
allow aconfigd metadata_file:dir search;
allow aconfigd {
@@ -22,17 +16,15 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
-allow aconfigd aconfigd_socket:sock_file rw_file_perms;
-
# allow aconfigd to access shell_data_file for atest
userdebug_or_eng(`
allow aconfigd shell_data_file:dir search;
allow aconfigd shell_data_file:file { getattr read open map };
')
-# allow aconfigd to log to the kernel.
-allow aconfigd kmsg_device:chr_file w_file_perms;
+# allow aconfigd to log to the kernel dmesg via a file descriptor
+# passed from init to aconfigd
+allow aconfigd kmsg_device:chr_file write;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
@@ -41,3 +33,11 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
diff --git a/private/shell.te b/private/shell.te
index a6e9975..839178c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -273,12 +273,6 @@
# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
-# Allow shell access to socket for test
-userdebug_or_eng(`
- allow shell aconfigd_socket:sock_file write;
- allow shell aconfigd:unix_stream_socket connectto;
-')
-
# Create and use network sockets.
net_domain(shell)