update aconfigd selinux policy
For aconfigd test, for atest to work, the shell domain needs to be able
to connect to aconfigd_socket. In addition, aconfigd needs to be able to
access the test storage files as shell_data_file. All these policies are
only needed for userdebug_or_eng build.
Bug: 312459182
Test: m, launch avd, atest, then audit2allow, no avc denials found
Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 43a08ce..0e2a7ae 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -22,8 +22,15 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
+allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+# allow aconfigd to access shell_data_file for atest
+userdebug_or_eng(`
+ allow aconfigd shell_data_file:dir search;
+ allow aconfigd shell_data_file:file { getattr read open };
+')
+
# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 4692eda..52c5327 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -735,6 +735,7 @@
-artd
-dumpstate
-installd
+ userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -782,6 +783,7 @@
-installd
-simpleperf_app_runner
-system_server # why?
+ userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
diff --git a/private/shell.te b/private/shell.te
index 2b7bd88..1d59a5d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -267,3 +267,9 @@
# Allow shell to execute oatdump.
allow shell oatdump_exec:file rx_file_perms;
+
+# Allow shell access to socket for test
+userdebug_or_eng(`
+ allow shell aconfigd_socket:sock_file write;
+ allow shell aconfigd:unix_stream_socket connectto;
+')