1# aconfigd_mainline -- manager for mainline aconfig flags 2type aconfigd_mainline, domain, coredomain, mlstrustedsubject; 3type aconfigd_mainline_exec, exec_type, file_type, system_file_type; 4 5init_daemon_domain(aconfigd_mainline) 6 7# allow aconfigd_mainline to search /metadata dir as it needs to access files under 8# /metadata/aconfig dir 9allow aconfigd_mainline metadata_file:dir search; 10 11# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir 12allow aconfigd_mainline { 13 aconfig_storage_metadata_file 14 aconfig_storage_flags_metadata_file 15}:dir create_dir_perms; 16 17allow aconfigd_mainline { 18 aconfig_storage_metadata_file 19 aconfig_storage_flags_metadata_file 20}:file create_file_perms; 21 22# allow aconfigd_mainline to log to the kernel. 23allow aconfigd_mainline kmsg_device:chr_file write; 24 25# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all 26# dirs under /apex to find all currently mounted mainline modules and get their 27# storage files 28allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms; 29allow aconfigd_mainline apex_mnt_dir:file r_file_perms; 30dontaudit aconfigd_mainline apex_info_file:file r_file_perms; 31 32### 33### Neverallow assertions 34### 35 36# only init is allowed to enter the aconfigd_mainline domain 37neverallow { domain -init } aconfigd_mainline:process transition; 38neverallow * aconfigd_mainline:process dyntransition; 39