Blame - zygote.te - fp2-dev/platform/external/sepolicy

blob: 225f431777f372a770a7ee4068c49199934b39dd [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# zygote
				2	type zygote, domain;
				3	type zygote_exec, exec_type, file_type;
				4
				5	init_daemon_domain(zygote)
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	6	typeattribute zygote mlstrustedsubject;
				7	# Override DAC on files and switch uid/gid.
Geremy Condra	d615ef3	2013-09-04 16:07:37 -0700	[diff] [blame]	8	allow zygote self:capability { dac_override setgid setuid fowner };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	9	# Drop capabilities from bounding set.
				10	allow zygote self:capability setpcap;
				11	# Switch SELinux context to app domains.
Alex Klyubin	1fdee11	2013-09-13 15:59:04 -0700	[diff] [blame]	12	allow zygote system_server:process dyntransition;
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	13	allow zygote appdomain:process dyntransition;
Nick Kralevich	e9c4181	2013-09-20 13:09:37 -0700	[diff] [blame]	14	# Allow zygote to read app /proc/pid dirs (b/10455872)
Geremy Condra	8156073	2013-08-30 13:02:30 -0700	[diff] [blame]	15	allow zygote appdomain:dir { getattr search };
Nick Kralevich	199fc73	2013-09-20 13:03:04 -0700	[diff] [blame]	16	allow zygote appdomain:file { r_file_perms };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	17	# Move children into the peer process group.
Alex Klyubin	1fdee11	2013-09-13 15:59:04 -0700	[diff] [blame]	18	allow zygote system_server:process { getpgid setpgid };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	19	allow zygote appdomain:process { getpgid setpgid };
				20	# Write to system data.
				21	allow zygote system_data_file:dir rw_dir_perms;
				22	allow zygote system_data_file:file create_file_perms;
				23	allow zygote dalvikcache_data_file:dir rw_dir_perms;
Stephen Smalley	49c995d	2014-01-09 09:27:15 -0500	[diff] [blame]	24	allow zygote dalvikcache_data_file:file create_file_perms;
				25	# For art.
				26	allow zygote dalvikcache_data_file:file execute;
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	27	# Execute dexopt.
				28	allow zygote system_file:file x_file_perms;
				29	# Control cgroups.
				30	allow zygote cgroup:dir create_dir_perms;
				31	allow zygote self:capability sys_admin;
				32	# Check validity of SELinux context before use.
				33	selinux_check_context(zygote)
				34	# Check SELinux permissions.
				35	selinux_check_access(zygote)
				36	# Read /seapp_contexts and /data/security/seapp_contexts
				37	security_access_policy(zygote)
				38
				39	# Setting up /storage/emulated.
				40	allow zygote rootfs:dir mounton;
				41	allow zygote sdcard_type:dir { write search setattr create add_name mounton };
				42	dontaudit zygote self:capability fsetid;
				43	allow zygote tmpfs:dir { write create add_name setattr mounton search };
				44	allow zygote tmpfs:filesystem mount;
				45	allow zygote labeledfs:filesystem remount;
				46
				47	# Handle --invoke-with command when launching Zygote with a wrapper command.
Stephen Smalley	3bfdc6b	2014-03-10 10:31:09 -0400	[diff] [blame]	48	allow zygote zygote_exec:file rx_file_perms;
Nick Kralevich	d629b87	2013-09-09 15:40:15 -0700	[diff] [blame]	49
				50	# handle bugreports b/10498304
				51	allow zygote ashmem_device:chr_file execute;
Nick Kralevich	d629b87	2013-09-09 15:40:15 -0700	[diff] [blame]	52	allow zygote shell_data_file:file { write getattr };
Alex Klyubin	82140be	2013-09-17 10:07:01 -0700	[diff] [blame]	53	allow zygote system_server:binder { transfer call };
Alex Klyubin	b9bbfeb	2013-09-09 17:17:08 -0700	[diff] [blame]	54	allow zygote servicemanager:binder { call };
dcashman	66f25cb	2014-03-05 10:18:12 -0800	[diff] [blame]	55
				56	auditallow zygote ashmem_device:chr_file execute;
				57	auditallow zygote shell_data_file:file { write getattr };
				58	auditallow zygote system_server:binder { transfer call };
				59	auditallow zygote servicemanager:binder { call };