| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 1 | # aconfigd -- manager for aconfig flags |
| Nick Kralevich | 62bcb0d | 2024-10-11 11:31:50 -0700 | [diff] [blame^] | 2 | type aconfigd, domain, coredomain; |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 3 | type aconfigd_exec, exec_type, file_type, system_file_type; |
| 4 | |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 5 | init_daemon_domain(aconfigd) |
| 6 | |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 7 | allow aconfigd metadata_file:dir search; |
| 8 | |
| 9 | allow aconfigd { |
| 10 | aconfig_storage_metadata_file |
| 11 | aconfig_storage_flags_metadata_file |
| 12 | }:dir create_dir_perms; |
| 13 | |
| 14 | allow aconfigd { |
| 15 | aconfig_storage_metadata_file |
| 16 | aconfig_storage_flags_metadata_file |
| 17 | }:file create_file_perms; |
| 18 | |
| Dennis Shen | 89a2c69 | 2024-03-19 02:33:00 +0000 | [diff] [blame] | 19 | # allow aconfigd to access shell_data_file for atest |
| 20 | userdebug_or_eng(` |
| 21 | allow aconfigd shell_data_file:dir search; |
| Dennis Shen | 328f911 | 2024-03-21 18:58:11 +0000 | [diff] [blame] | 22 | allow aconfigd shell_data_file:file { getattr read open map }; |
| Dennis Shen | 89a2c69 | 2024-03-19 02:33:00 +0000 | [diff] [blame] | 23 | ') |
| 24 | |
| Nick Kralevich | 62bcb0d | 2024-10-11 11:31:50 -0700 | [diff] [blame^] | 25 | # allow aconfigd to log to the kernel dmesg via a file descriptor |
| 26 | # passed from init to aconfigd |
| 27 | allow aconfigd kmsg_device:chr_file write; |
| Dennis Shen | f008c29 | 2024-02-28 18:08:10 +0000 | [diff] [blame] | 28 | |
| Dennis Shen | f008c29 | 2024-02-28 18:08:10 +0000 | [diff] [blame] | 29 | # allow aconfigd to read vendor partition storage files |
| 30 | allow aconfigd vendor_aconfig_storage_file:file r_file_perms; |
| 31 | allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; |
| Dennis Shen | f610636 | 2024-05-17 17:24:20 +0000 | [diff] [blame] | 32 | |
| 33 | # allow aconfigd to read /apex dir |
| 34 | allow aconfigd apex_mnt_dir:dir r_dir_perms; |
| 35 | allow aconfigd apex_mnt_dir:file r_file_perms; |
| Nick Kralevich | 62bcb0d | 2024-10-11 11:31:50 -0700 | [diff] [blame^] | 36 | |
| 37 | ### |
| 38 | ### Neverallow assertions |
| 39 | ### |
| 40 | |
| 41 | # only init is allowed to enter the aconfigd domain |
| 42 | neverallow { domain -init } aconfigd:process transition; |
| 43 | neverallow * aconfigd:process dyntransition; |