DO NOT MERGE ANYWHERE Update test aconfigd.te
include system_server in the neverallow rule exclusion list for aconfigd_storage_flags_metadata_file since system_server was granted write permission for these files.
Bug: b/386314424
Change-Id: I95b594af97307118f733a33e3dda896f40a0e89c
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 01f53cd..548fea7 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -54,16 +54,21 @@
# Only aconfigd and aconfigd_mainline can access persist storage files
# These files are meant to serve as persist flag value storage, only aconfigd and
-# aconfigd_mainline process should manage them. Other processes should have zero access.
+# aconfigd_mainline process should manage them. Other processes should have zero
+# access. system_server was previous granted write permission to these files as
+# well during test missions. Thus also added system_server to the neverallow
+# exclusion list to cts test requirements.
neverallow {
domain
-init
-aconfigd
-aconfigd_mainline
+ -system_server
} aconfig_storage_flags_metadata_file:dir *;
neverallow {
domain
-init
-aconfigd
-aconfigd_mainline
+ -system_server
} aconfig_storage_flags_metadata_file:file no_rw_file_perms;