Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9a5b2f5e3b72f9dc260b9cfacb14df9b05e41d91 / . / private / aconfigd.te
blob: 0e2a7ae4c771336a18bc769bb98d31ab01b93ebf [file] [log] [blame]
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]1# aconfigd -- manager for aconfig flags
2type aconfigd, domain;
3type aconfigd_exec, exec_type, file_type, system_file_type;
4
5typeattribute aconfigd coredomain;
6
7init_daemon_domain(aconfigd)
8
9# only init is allowed to enter the aconfigd domain
10neverallow { domain -init } aconfigd:process transition;
11neverallow * aconfigd:process dyntransition;
12
13allow aconfigd metadata_file:dir search;
14
15allow aconfigd {
16 aconfig_storage_metadata_file
17 aconfig_storage_flags_metadata_file
18}:dir create_dir_perms;
19
20allow aconfigd {
21 aconfig_storage_metadata_file
22 aconfig_storage_flags_metadata_file
23}:file create_file_perms;
24
Dennis Shen89a2c692024-03-19 02:33:00 +0000[diff] [blame]25allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]26allow aconfigd aconfigd_socket:sock_file rw_file_perms;
27
Dennis Shen89a2c692024-03-19 02:33:00 +0000[diff] [blame]28# allow aconfigd to access shell_data_file for atest
29userdebug_or_eng(`
30 allow aconfigd shell_data_file:dir search;
31 allow aconfigd shell_data_file:file { getattr read open };
32')
33
Dennis Shen26592572024-02-25 15:44:51 +0000[diff] [blame]34# allow aconfigd to log to the kernel.
35allow aconfigd kmsg_device:chr_file w_file_perms;
Dennis Shenf008c292024-02-28 18:08:10 +0000[diff] [blame]36
37# allow aconfigd to read system/system_ext/product partition storage files
38allow aconfigd system_aconfig_storage_file:file r_file_perms;
39allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
40
41# allow aconfigd to read vendor partition storage files
42allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
43allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;