update aconfigd selinux policy For aconfigd test, for atest to work, the shell domain needs to be able to connect to aconfigd_socket. In addition, aconfigd needs to be able to access the test storage files as shell_data_file. All these policies are only needed for userdebug_or_eng build. Bug: 312459182 Test: m, launch avd, atest, then audit2allow, no avc denials found Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c

commit: 89a2c6988a9f4f7ccd265d74d3af042648e51aff [log] [tgz]
author: Dennis Shen <dzshen@google.com> Tue Mar 19 02:33:00 2024 +0000
committer: Dennis Shen <dzshen@google.com> Tue Mar 19 12:24:23 2024 +0000
tree: 3dc120d99eb62a111e45f76e987bf9168cd23392
parent: b229d824ad3ed93c2ffc12fe94352b233eb44630 [diff] [blame]
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 43a08ce..0e2a7ae 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te

@@ -22,8 +22,15 @@
     aconfig_storage_flags_metadata_file
 }:file create_file_perms;
 
+allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
 allow aconfigd aconfigd_socket:sock_file rw_file_perms;
 
+# allow aconfigd to access shell_data_file for atest
+userdebug_or_eng(`
+    allow aconfigd shell_data_file:dir search;
+    allow aconfigd shell_data_file:file { getattr read open };
+')
+
 # allow aconfigd to log to the kernel.
 allow aconfigd kmsg_device:chr_file w_file_perms;
commit	89a2c6988a9f4f7ccd265d74d3af042648e51aff	[log] [tgz]
author	Dennis Shen <dzshen@google.com>	Tue Mar 19 02:33:00 2024 +0000
committer	Dennis Shen <dzshen@google.com>	Tue Mar 19 12:24:23 2024 +0000
tree	3dc120d99eb62a111e45f76e987bf9168cd23392
parent	b229d824ad3ed93c2ffc12fe94352b233eb44630 [diff] [blame]