| Dennis Shen | 2778369 | 2024-09-26 13:56:08 +0000 | [diff] [blame] | 1 | # aconfigd_mainline -- manager for mainline aconfig flags |
| 2 | type aconfigd_mainline, domain, coredomain, mlstrustedsubject; |
| 3 | type aconfigd_mainline_exec, exec_type, file_type, system_file_type; |
| 4 | |
| 5 | init_daemon_domain(aconfigd_mainline) |
| 6 | |
| 7 | # allow aconfigd_mainline to search /metadata dir as it needs to access files under |
| 8 | # /metadata/aconfig dir |
| 9 | allow aconfigd_mainline metadata_file:dir search; |
| 10 | |
| 11 | # aconfigd_mainline should be able to create storage files under /metadata/aconfig dir |
| 12 | allow aconfigd_mainline { |
| 13 | aconfig_storage_metadata_file |
| 14 | aconfig_storage_flags_metadata_file |
| 15 | }:dir create_dir_perms; |
| 16 | |
| 17 | allow aconfigd_mainline { |
| 18 | aconfig_storage_metadata_file |
| 19 | aconfig_storage_flags_metadata_file |
| 20 | }:file create_file_perms; |
| 21 | |
| 22 | # allow aconfigd_mainline to log to the kernel. |
| 23 | allow aconfigd_mainline kmsg_device:chr_file write; |
| 24 | |
| 25 | # allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all |
| 26 | # dirs under /apex to find all currently mounted mainline modules and get their |
| 27 | # storage files |
| 28 | allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms; |
| 29 | allow aconfigd_mainline apex_mnt_dir:file r_file_perms; |
| 30 | dontaudit aconfigd_mainline apex_info_file:file r_file_perms; |
| 31 | |
| 32 | ### |
| 33 | ### Neverallow assertions |
| 34 | ### |
| 35 | |
| 36 | # only init is allowed to enter the aconfigd_mainline domain |
| 37 | neverallow { domain -init } aconfigd_mainline:process transition; |
| 38 | neverallow * aconfigd_mainline:process dyntransition; |