selinux setup for files under /metadata/aconfig dir
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)
2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.
Context to why we are hosting flag data on /metadata partition:
Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.
In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.
Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1de001e..351d647 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -43,4 +43,6 @@
vendor_microdroid_file
threadnetwork_config_prop
profiling_service
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
))
diff --git a/private/file_contexts b/private/file_contexts
index cba5660..7d9660b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -855,6 +855,8 @@
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
+/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
+/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index e5ade71..b58315d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1456,6 +1456,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
+allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1512,6 +1515,11 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+# Only system server should access /metadata/aconfig
+# TODO: add storage daemon to neverallow exception when it is introduced
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }