Add mlstrustedsubject to aconfigd.te
aconfigd is the daemon which is responsible for handling Android flags. Currently, this daemon is not accessed by Android applications.
This change adds mlstrustedobject and mlstrustedsubject to the aconfigd process and socket, respectively. These attributes indicate that aconfigd can cross a multi-user boundary, eg, changes to flags in code run by one human user may affect all other human users of the same device. These attributes are needed so that an Android app, running with levelFrom=all, can access aconfigd. Normally Android apps are isolated per-user, but by using aconfigd, one app may affect other apps or the entire system across the multi-user boundary.
Change-Id: I90fe83906806ab550daba1df440e56fef8737c0a
Test: m
Bug: 370499640
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 1601e61..5ee967d 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,5 +1,5 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain, coredomain;
+type aconfigd, domain, coredomain, mlstrustedsubject;
type aconfigd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(aconfigd)
diff --git a/private/file.te b/private/file.te
index 60aa5d5..84c47fc 100644
--- a/private/file.te
+++ b/private/file.te
@@ -156,7 +156,7 @@
type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket
-type aconfigd_socket, file_type, coredomain_socket;
+type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;