1# aconfigd -- manager for aconfig flags 2type aconfigd, domain, coredomain, mlstrustedsubject; 3type aconfigd_exec, exec_type, file_type, system_file_type; 4 5init_daemon_domain(aconfigd) 6 7allow aconfigd metadata_file:dir search; 8 9allow aconfigd { 10 aconfig_storage_metadata_file 11 aconfig_storage_flags_metadata_file 12}:dir create_dir_perms; 13 14allow aconfigd { 15 aconfig_storage_metadata_file 16 aconfig_storage_flags_metadata_file 17}:file create_file_perms; 18 19# allow aconfigd to log to the kernel dmesg via a file descriptor 20# passed from init to aconfigd 21allow aconfigd kmsg_device:chr_file write; 22 23# allow aconfigd to read vendor partition storage files 24allow aconfigd vendor_aconfig_storage_file:file r_file_perms; 25allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; 26 27# allow aconfigd to read /apex dir 28allow aconfigd apex_mnt_dir:dir r_dir_perms; 29allow aconfigd apex_mnt_dir:file r_file_perms; 30dontaudit aconfigd apex_info_file:file r_file_perms; 31 32### 33### Neverallow assertions 34### 35 36# only init is allowed to enter the aconfigd domain 37neverallow { domain -init } aconfigd:process transition; 38neverallow * aconfigd:process dyntransition; 39 40# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline. 41# These files are meant to serve flag reads for all processes. They are created by aconfigd (for 42# platform storage files) and aconfigd_mainline (mainline storage files) processes. 43neverallow { 44 domain 45 -init 46 -aconfigd 47 -aconfigd_mainline 48} aconfig_storage_metadata_file:dir no_w_dir_perms; 49neverallow { 50 domain 51 -init 52 -aconfigd 53 -aconfigd_mainline 54} aconfig_storage_metadata_file:file no_w_file_perms; 55 56# Only aconfigd and aconfigd_mainline can access persist storage files 57# These files are meant to serve as persist flag value storage, only aconfigd and 58# aconfigd_mainline process should manage them. Other processes should have zero access. 59neverallow { 60 domain 61 -init 62 -aconfigd 63 -aconfigd_mainline 64} aconfig_storage_flags_metadata_file:dir *; 65neverallow { 66 domain 67 -init 68 -aconfigd 69 -aconfigd_mainline 70} aconfig_storage_flags_metadata_file:file no_rw_file_perms; 71