blob: 15ce3cc7997381b8ef2bb3cb3445a7886ff64de6 [file] [log] [blame]
# aconfigd -- manager for aconfig flags
type aconfigd, domain, coredomain, mlstrustedsubject;
type aconfigd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(aconfigd)
allow aconfigd metadata_file:dir search;
allow aconfigd {
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
}:dir create_dir_perms;
allow aconfigd {
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
}:file create_file_perms;
# allow aconfigd to access shell_data_file for atest
userdebug_or_eng(`
allow aconfigd shell_data_file:dir search;
allow aconfigd shell_data_file:file { getattr read open map };
')
# allow aconfigd to log to the kernel dmesg via a file descriptor
# passed from init to aconfigd
allow aconfigd kmsg_device:chr_file write;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
###
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;