1# aconfigd -- manager for aconfig flags 2type aconfigd, domain; 3type aconfigd_exec, exec_type, file_type, system_file_type; 4 5typeattribute aconfigd coredomain; 6 7init_daemon_domain(aconfigd) 8 9# only init is allowed to enter the aconfigd domain 10neverallow { domain -init } aconfigd:process transition; 11neverallow * aconfigd:process dyntransition; 12 13allow aconfigd metadata_file:dir search; 14 15allow aconfigd { 16 aconfig_storage_metadata_file 17 aconfig_storage_flags_metadata_file 18}:dir create_dir_perms; 19 20allow aconfigd { 21 aconfig_storage_metadata_file 22 aconfig_storage_flags_metadata_file 23}:file create_file_perms; 24 25allow aconfigd aconfigd_socket:sock_file rw_file_perms; 26 27# allow aconfigd to log to the kernel. 28allow aconfigd kmsg_device:chr_file w_file_perms; 29 30# allow aconfigd to read system/system_ext/product partition storage files 31allow aconfigd system_aconfig_storage_file:file r_file_perms; 32allow aconfigd system_aconfig_storage_file:dir r_dir_perms; 33 34# allow aconfigd to read vendor partition storage files 35allow aconfigd vendor_aconfig_storage_file:file r_file_perms; 36allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; 37