1*e4a36f41SAndroid Build Coastguard Worker# aconfigd_mainline -- manager for mainline aconfig flags 2*e4a36f41SAndroid Build Coastguard Workertype aconfigd_mainline, domain, coredomain, mlstrustedsubject; 3*e4a36f41SAndroid Build Coastguard Workertype aconfigd_mainline_exec, exec_type, file_type, system_file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(aconfigd_mainline) 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd_mainline to search /metadata dir as it needs to access files under 8*e4a36f41SAndroid Build Coastguard Worker# /metadata/aconfig dir 9*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline metadata_file:dir search; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir 12*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline { 13*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_metadata_file 14*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_flags_metadata_file 15*e4a36f41SAndroid Build Coastguard Worker}:dir create_dir_perms; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline { 18*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_metadata_file 19*e4a36f41SAndroid Build Coastguard Worker aconfig_storage_flags_metadata_file 20*e4a36f41SAndroid Build Coastguard Worker}:file create_file_perms; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd_mainline to log to the kernel. 23*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline kmsg_device:chr_file write; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all 26*e4a36f41SAndroid Build Coastguard Worker# dirs under /apex to find all currently mounted mainline modules and get their 27*e4a36f41SAndroid Build Coastguard Worker# storage files 28*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline apex_mnt_dir:dir r_dir_perms; 29*e4a36f41SAndroid Build Coastguard Workerallow aconfigd_mainline apex_mnt_dir:file r_file_perms; 30*e4a36f41SAndroid Build Coastguard Workerdontaudit aconfigd_mainline apex_info_file:file r_file_perms; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker### 33*e4a36f41SAndroid Build Coastguard Worker### Neverallow assertions 34*e4a36f41SAndroid Build Coastguard Worker### 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# only init is allowed to enter the aconfigd_mainline domain 37*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } aconfigd_mainline:process transition; 38*e4a36f41SAndroid Build Coastguard Workerneverallow * aconfigd_mainline:process dyntransition; 39