Blame - private/aconfigd.te - android_system_sepolicy

blob: 5ee967d9d288329a998bf2f78cd82e50f70c39a5 [file] [log] [blame]

Dennis Shen	2659257	2024-02-25 15:44:51 +0000	[diff] [blame]	1	# aconfigd -- manager for aconfig flags
Ted Bauer	ffa0493	2024-10-04 20:32:36 +0000	[diff] [blame]	2	type aconfigd, domain, coredomain, mlstrustedsubject;
Dennis Shen	2659257	2024-02-25 15:44:51 +0000	[diff] [blame]	3	type aconfigd_exec, exec_type, file_type, system_file_type;
				4
Dennis Shen	2659257	2024-02-25 15:44:51 +0000	[diff] [blame]	5	init_daemon_domain(aconfigd)
				6
Dennis Shen	2659257	2024-02-25 15:44:51 +0000	[diff] [blame]	7	allow aconfigd metadata_file:dir search;
				8
				9	allow aconfigd {
				10	aconfig_storage_metadata_file
				11	aconfig_storage_flags_metadata_file
				12	}:dir create_dir_perms;
				13
				14	allow aconfigd {
				15	aconfig_storage_metadata_file
				16	aconfig_storage_flags_metadata_file
				17	}:file create_file_perms;
				18
Dennis Shen	89a2c69	2024-03-19 02:33:00 +0000	[diff] [blame]	19	# allow aconfigd to access shell_data_file for atest
				20	userdebug_or_eng(`
				21	allow aconfigd shell_data_file:dir search;
Dennis Shen	328f911	2024-03-21 18:58:11 +0000	[diff] [blame]	22	allow aconfigd shell_data_file:file { getattr read open map };
Dennis Shen	89a2c69	2024-03-19 02:33:00 +0000	[diff] [blame]	23	')
				24
Nick Kralevich	62bcb0d	2024-10-11 11:31:50 -0700	[diff] [blame]	25	# allow aconfigd to log to the kernel dmesg via a file descriptor
				26	# passed from init to aconfigd
				27	allow aconfigd kmsg_device:chr_file write;
Dennis Shen	f008c29	2024-02-28 18:08:10 +0000	[diff] [blame]	28
Dennis Shen	f008c29	2024-02-28 18:08:10 +0000	[diff] [blame]	29	# allow aconfigd to read vendor partition storage files
				30	allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
				31	allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
Dennis Shen	f610636	2024-05-17 17:24:20 +0000	[diff] [blame]	32
				33	# allow aconfigd to read /apex dir
				34	allow aconfigd apex_mnt_dir:dir r_dir_perms;
				35	allow aconfigd apex_mnt_dir:file r_file_perms;
Nick Kralevich	62bcb0d	2024-10-11 11:31:50 -0700	[diff] [blame]	36
				37	###
				38	### Neverallow assertions
				39	###
				40
				41	# only init is allowed to enter the aconfigd domain
				42	neverallow { domain -init } aconfigd:process transition;
				43	neverallow * aconfigd:process dyntransition;