Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 27783693c0fa14d6052d8ff504e8c06758046511 / . / private / aconfigd.te
blob: 7a46959a5ed70ed40a436c5f574de8d2e50c8144 [file] [log] [blame]
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]1# aconfigd -- manager for aconfig flags
Ted Bauerffa04932024-10-04 20:32:36 +0000[diff] [blame]2type aconfigd, domain, coredomain, mlstrustedsubject;
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]3type aconfigd_exec, exec_type, file_type, system_file_type;
4
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]5init_daemon_domain(aconfigd)
6
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]7allow aconfigd metadata_file:dir search;
8
9allow aconfigd {
10 aconfig_storage_metadata_file
11 aconfig_storage_flags_metadata_file
12}:dir create_dir_perms;
13
14allow aconfigd {
15 aconfig_storage_metadata_file
16 aconfig_storage_flags_metadata_file
17}:file create_file_perms;
18
Nick Kralevich62bcb0d2024-10-11 11:31:50 -0700[diff] [blame]19# allow aconfigd to log to the kernel dmesg via a file descriptor
20# passed from init to aconfigd
21allow aconfigd kmsg_device:chr_file write;
Dennis Shenf008c292024-02-28 18:08:10 +0000[diff] [blame]22
Dennis Shenf008c292024-02-28 18:08:10 +0000[diff] [blame]23# allow aconfigd to read vendor partition storage files
24allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
25allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
Dennis Shenf6106362024-05-17 17:24:20 +0000[diff] [blame]26
27# allow aconfigd to read /apex dir
28allow aconfigd apex_mnt_dir:dir r_dir_perms;
29allow aconfigd apex_mnt_dir:file r_file_perms;
Nick Kralevich62bcb0d2024-10-11 11:31:50 -0700[diff] [blame]30
31###
32### Neverallow assertions
33###
34
35# only init is allowed to enter the aconfigd domain
36neverallow { domain -init } aconfigd:process transition;
37neverallow * aconfigd:process dyntransition;
Dennis Shen27783692024-09-26 13:56:08 +0000[diff] [blame^]38
39# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
40# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
41# platform storage files) and aconfigd_mainline (mainline storage files) processes.
42neverallow {
43 domain
44 -init
45 -aconfigd
46 -aconfigd_mainline
47} aconfig_storage_metadata_file:dir no_w_dir_perms;
48neverallow {
49 domain
50 -init
51 -aconfigd
52 -aconfigd_mainline
53} aconfig_storage_metadata_file:file no_w_file_perms;
54
55# Only aconfigd and aconfigd_mainline can access persist storage files
56# These files are meant to serve as persist flag value storage, only aconfigd and
57# aconfigd_mainline process should manage them. Other processes should have zero access.
58neverallow {
59 domain
60 -init
61 -aconfigd
62 -aconfigd_mainline
63} aconfig_storage_flags_metadata_file:dir *;
64neverallow {
65 domain
66 -init
67 -aconfigd
68 -aconfigd_mainline
69} aconfig_storage_flags_metadata_file:file no_rw_file_perms;