| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 1 | # aconfigd -- manager for aconfig flags |
| Ted Bauer | ffa0493 | 2024-10-04 20:32:36 +0000 | [diff] [blame] | 2 | type aconfigd, domain, coredomain, mlstrustedsubject; |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 3 | type aconfigd_exec, exec_type, file_type, system_file_type; |
| 4 | |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 5 | init_daemon_domain(aconfigd) |
| 6 | |
| Dennis Shen | 2659257 | 2024-02-25 15:44:51 +0000 | [diff] [blame] | 7 | allow aconfigd metadata_file:dir search; |
| 8 | |
| 9 | allow aconfigd { |
| 10 | aconfig_storage_metadata_file |
| 11 | aconfig_storage_flags_metadata_file |
| 12 | }:dir create_dir_perms; |
| 13 | |
| 14 | allow aconfigd { |
| 15 | aconfig_storage_metadata_file |
| 16 | aconfig_storage_flags_metadata_file |
| 17 | }:file create_file_perms; |
| 18 | |
| Nick Kralevich | 62bcb0d | 2024-10-11 11:31:50 -0700 | [diff] [blame] | 19 | # allow aconfigd to log to the kernel dmesg via a file descriptor |
| 20 | # passed from init to aconfigd |
| 21 | allow aconfigd kmsg_device:chr_file write; |
| Dennis Shen | f008c29 | 2024-02-28 18:08:10 +0000 | [diff] [blame] | 22 | |
| Dennis Shen | f008c29 | 2024-02-28 18:08:10 +0000 | [diff] [blame] | 23 | # allow aconfigd to read vendor partition storage files |
| 24 | allow aconfigd vendor_aconfig_storage_file:file r_file_perms; |
| 25 | allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; |
| Dennis Shen | f610636 | 2024-05-17 17:24:20 +0000 | [diff] [blame] | 26 | |
| 27 | # allow aconfigd to read /apex dir |
| 28 | allow aconfigd apex_mnt_dir:dir r_dir_perms; |
| 29 | allow aconfigd apex_mnt_dir:file r_file_perms; |
| Dennis Shen | 2d3643a | 2024-12-02 19:46:43 +0000 | [diff] [blame] | 30 | dontaudit aconfigd apex_info_file:file r_file_perms; |
| Nick Kralevich | 62bcb0d | 2024-10-11 11:31:50 -0700 | [diff] [blame] | 31 | |
| 32 | ### |
| 33 | ### Neverallow assertions |
| 34 | ### |
| 35 | |
| 36 | # only init is allowed to enter the aconfigd domain |
| 37 | neverallow { domain -init } aconfigd:process transition; |
| 38 | neverallow * aconfigd:process dyntransition; |
| Dennis Shen | 2778369 | 2024-09-26 13:56:08 +0000 | [diff] [blame] | 39 | |
| 40 | # Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline. |
| 41 | # These files are meant to serve flag reads for all processes. They are created by aconfigd (for |
| 42 | # platform storage files) and aconfigd_mainline (mainline storage files) processes. |
| 43 | neverallow { |
| 44 | domain |
| 45 | -init |
| 46 | -aconfigd |
| 47 | -aconfigd_mainline |
| 48 | } aconfig_storage_metadata_file:dir no_w_dir_perms; |
| 49 | neverallow { |
| 50 | domain |
| 51 | -init |
| 52 | -aconfigd |
| 53 | -aconfigd_mainline |
| 54 | } aconfig_storage_metadata_file:file no_w_file_perms; |
| 55 | |
| 56 | # Only aconfigd and aconfigd_mainline can access persist storage files |
| 57 | # These files are meant to serve as persist flag value storage, only aconfigd and |
| 58 | # aconfigd_mainline process should manage them. Other processes should have zero access. |
| 59 | neverallow { |
| 60 | domain |
| 61 | -init |
| 62 | -aconfigd |
| 63 | -aconfigd_mainline |
| 64 | } aconfig_storage_flags_metadata_file:dir *; |
| 65 | neverallow { |
| 66 | domain |
| 67 | -init |
| 68 | -aconfigd |
| 69 | -aconfigd_mainline |
| 70 | } aconfig_storage_flags_metadata_file:file no_rw_file_perms; |