Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index b0be7b0..9590349 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -433,6 +433,7 @@
/system/bin/virtual_touchpad virtual_touchpad_exec
/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
@@ -497,6 +498,7 @@
/system/vendor/bin/toolbox vendor_toolbox_exec
/vendor/etc vendor_configs_file
/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/aconfig vendor_aconfig_storage_file
/system/vendor/etc vendor_configs_file
/system/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/cgroups.json vendor_cgroup_desc_file
@@ -731,6 +733,8 @@
/system_ext/overlay/does_not_exist vendor_overlay_file
/system/system_ext/overlay vendor_overlay_file
/system/system_ext/overlay/does_not_exist vendor_overlay_file
+/system_ext/etc/aconfig system_aconfig_storage_file
+/product/etc/aconfig system_aconfig_storage_file
/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 0621125..43a08ce 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -26,3 +26,11 @@
# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms;
+
+# allow aconfigd to read system/system_ext/product partition storage files
+allow aconfigd system_aconfig_storage_file:file r_file_perms;
+allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
+
+# allow aconfigd to read vendor partition storage files
+allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
+allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 94e1ad8..66bce05 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -652,6 +652,7 @@
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
+ -vendor_aconfig_storage_file
}:file *;
')
diff --git a/private/file.te b/private/file.te
index 6d8c923..c4341af 100644
--- a/private/file.te
+++ b/private/file.te
@@ -151,3 +151,9 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket;
+
+# Type for /(system|system_ext|product)/etc/aconfig
+type system_aconfig_storage_file, system_file_type, file_type;
+
+# Type for /vendor/etc/aconfig
+type vendor_aconfig_storage_file, vendor_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 807ac44..63b3d1e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -358,6 +358,7 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
+/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -430,6 +431,8 @@
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0