1*e4a36f41SAndroid Build Coastguard Worker# aconfigd -- manager for aconfig flags 2*e4a36f41SAndroid Build Coastguard Workertype aconfigd, domain; 3*e4a36f41SAndroid Build Coastguard Workertype aconfigd_exec, exec_type, file_type, system_file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workertypeattribute aconfigd coredomain; 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(aconfigd) 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# only init is allowed to enter the aconfigd domain 10*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } aconfigd:process transition; 11*e4a36f41SAndroid Build Coastguard Workerneverallow * aconfigd:process dyntransition; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workerallow aconfigd metadata_file:dir search; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Workerallow aconfigd { 16*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_metadata_file 17*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_flags_metadata_file 18*e4a36f41SAndroid Build Coastguard Worker}:dir create_dir_perms; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Workerallow aconfigd { 21*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_metadata_file 22*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_flags_metadata_file 23*e4a36f41SAndroid Build Coastguard Worker}:file create_file_perms; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerallow aconfigd aconfigd_socket:sock_file rw_file_perms; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd to log to the kernel. 28*e4a36f41SAndroid Build Coastguard Workerallow aconfigd kmsg_device:chr_file w_file_perms; 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd to read system/system_ext/product partition storage files 31*e4a36f41SAndroid Build Coastguard Workerallow aconfigd system_aconfig_storage_file:file r_file_perms; 32*e4a36f41SAndroid Build Coastguard Workerallow aconfigd system_aconfig_storage_file:dir r_dir_perms; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd to read vendor partition storage files 35*e4a36f41SAndroid Build Coastguard Workerallow aconfigd vendor_aconfig_storage_file:file r_file_perms; 36*e4a36f41SAndroid Build Coastguard Workerallow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; 37