1# aconfigd -- manager for aconfig flags 2type aconfigd, domain; 3type aconfigd_exec, exec_type, file_type, system_file_type; 4 5typeattribute aconfigd coredomain; 6 7init_daemon_domain(aconfigd) 8 9# only init is allowed to enter the aconfigd domain 10neverallow { domain -init } aconfigd:process transition; 11neverallow * aconfigd:process dyntransition; 12 13allow aconfigd metadata_file:dir search; 14 15allow aconfigd { 16 aconfig_storage_metadata_file 17 aconfig_storage_flags_metadata_file 18}:dir create_dir_perms; 19 20allow aconfigd { 21 aconfig_storage_metadata_file 22 aconfig_storage_flags_metadata_file 23}:file create_file_perms; 24 25allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write }; 26allow aconfigd aconfigd_socket:sock_file rw_file_perms; 27 28# allow aconfigd to access shell_data_file for atest 29userdebug_or_eng(` 30 allow aconfigd shell_data_file:dir search; 31 allow aconfigd shell_data_file:file { getattr read open map }; 32') 33 34# allow aconfigd to log to the kernel. 35allow aconfigd kmsg_device:chr_file w_file_perms; 36 37# allow aconfigd to read vendor partition storage files 38allow aconfigd vendor_aconfig_storage_file:file r_file_perms; 39allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms; 40 41# allow aconfigd to read /apex dir 42allow aconfigd apex_mnt_dir:dir r_dir_perms; 43allow aconfigd apex_mnt_dir:file r_file_perms; 44