selinux setup for files under /metadata/aconfig dir
1, /metadata/aconfig is the directory that stores aconfig storage
related protobuf files and flag value files boot copy. Grant read
access to everybody. But limit the write access only to init and
aconfig storage service process (to be created later)
2, /metadata/aconfig/flags is the sub directory that stores persistent
aconfig value files.Initially set it up to be accessible by
system_server process only . When aconfig storage service process is
created, will add another permission to storage service process.
Context to why we are hosting flag data on /metadata partition:
Android is adopting trunk stable workflow, flagging and A/B testing is
essential to every platform component. We need some place to host the
flag that are accessible to system processes that starts before /data
partition becomes available.
In addition, there has been a long discussion regarding utilizing
/metadata partition for some process data, another example is mainline
modules, we are trying to make them to be able to be mounted earlier,
but cannot due to /data availability.
Bug: 312444587
Test: m
Change-Id: I7e7dae5cf8c4268d71229c770af31b5e9f071428
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f75312a..7c0c662 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1215,6 +1215,12 @@
/metadata metadata_file
/metadata/test metadata_file
+/metadata/aconfig aconfig_storage_metadata_file
+/metadata/aconfig/test aconfig_storage_metadata_file
+/metadata/aconfig/flags aconfig_storage_flags_metadata_file
+/metadata/aconfig/flags/test aconfig_storage_flags_metadata_file
+/metadata/aconfig/boot aconfig_storage_metadata_file
+/metadata/aconfig/boot/test aconfig_storage_metadata_file
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1de001e..351d647 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -43,4 +43,6 @@
vendor_microdroid_file
threadnetwork_config_prop
profiling_service
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
))
diff --git a/private/file_contexts b/private/file_contexts
index cba5660..7d9660b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -855,6 +855,8 @@
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
+/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
+/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index e5ade71..b58315d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1456,6 +1456,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
+allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1512,6 +1515,11 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+# Only system server should access /metadata/aconfig
+# TODO: add storage daemon to neverallow exception when it is introduced
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/public/domain.te b/public/domain.te
index d630a24..e27da4f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -341,6 +341,12 @@
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+
###
### neverallow rules
###
@@ -623,6 +629,11 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# Do not allow write access to the general aconfig pb file and boot flag value files except init
+# TODO: need to add storage daemon into this exception list once it is created
+neverallow { domain -init } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
+
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
diff --git a/public/file.te b/public/file.te
index 32c0cd8..b887406 100644
--- a/public/file.te
+++ b/public/file.te
@@ -295,6 +295,10 @@
type watchdog_metadata_file, file_type;
# Repair mode files within /metadata/repair-mode
type repair_mode_metadata_file, file_type;
+# Aconfig storage file
+type aconfig_storage_metadata_file, file_type;
+# Aconfig storage flag value persistent copy
+type aconfig_storage_flags_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a9d1b5d..7a74e7c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -62,6 +62,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -83,6 +85,8 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -101,6 +105,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -119,6 +125,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -136,6 +144,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;