Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # zygote |
| 2 | type zygote, domain; |
| 3 | type zygote_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(zygote) |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 6 | typeattribute zygote mlstrustedsubject; |
| 7 | # Override DAC on files and switch uid/gid. |
Geremy Condra | d615ef3 | 2013-09-04 16:07:37 -0700 | [diff] [blame] | 8 | allow zygote self:capability { dac_override setgid setuid fowner }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 9 | # Drop capabilities from bounding set. |
| 10 | allow zygote self:capability setpcap; |
| 11 | # Switch SELinux context to app domains. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 12 | allow zygote system_server:process dyntransition; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 13 | allow zygote appdomain:process dyntransition; |
Nick Kralevich | e9c4181 | 2013-09-20 13:09:37 -0700 | [diff] [blame] | 14 | # Allow zygote to read app /proc/pid dirs (b/10455872) |
Geremy Condra | 8156073 | 2013-08-30 13:02:30 -0700 | [diff] [blame] | 15 | allow zygote appdomain:dir { getattr search }; |
Nick Kralevich | 199fc73 | 2013-09-20 13:03:04 -0700 | [diff] [blame] | 16 | allow zygote appdomain:file { r_file_perms }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 17 | # Move children into the peer process group. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 18 | allow zygote system_server:process { getpgid setpgid }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 19 | allow zygote appdomain:process { getpgid setpgid }; |
| 20 | # Write to system data. |
| 21 | allow zygote system_data_file:dir rw_dir_perms; |
| 22 | allow zygote system_data_file:file create_file_perms; |
| 23 | allow zygote dalvikcache_data_file:dir rw_dir_perms; |
Stephen Smalley | 49c995d | 2014-01-09 09:27:15 -0500 | [diff] [blame] | 24 | allow zygote dalvikcache_data_file:file create_file_perms; |
| 25 | # For art. |
| 26 | allow zygote dalvikcache_data_file:file execute; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 27 | # Execute dexopt. |
| 28 | allow zygote system_file:file x_file_perms; |
| 29 | # Control cgroups. |
| 30 | allow zygote cgroup:dir create_dir_perms; |
| 31 | allow zygote self:capability sys_admin; |
| 32 | # Check validity of SELinux context before use. |
| 33 | selinux_check_context(zygote) |
| 34 | # Check SELinux permissions. |
| 35 | selinux_check_access(zygote) |
| 36 | # Read /seapp_contexts and /data/security/seapp_contexts |
| 37 | security_access_policy(zygote) |
| 38 | |
| 39 | # Setting up /storage/emulated. |
| 40 | allow zygote rootfs:dir mounton; |
| 41 | allow zygote sdcard_type:dir { write search setattr create add_name mounton }; |
| 42 | dontaudit zygote self:capability fsetid; |
| 43 | allow zygote tmpfs:dir { write create add_name setattr mounton search }; |
| 44 | allow zygote tmpfs:filesystem mount; |
| 45 | allow zygote labeledfs:filesystem remount; |
| 46 | |
| 47 | # Handle --invoke-with command when launching Zygote with a wrapper command. |
| 48 | allow zygote zygote_exec:file { execute_no_trans open }; |
Nick Kralevich | d629b87 | 2013-09-09 15:40:15 -0700 | [diff] [blame] | 49 | |
| 50 | # handle bugreports b/10498304 |
| 51 | allow zygote ashmem_device:chr_file execute; |
Nick Kralevich | d629b87 | 2013-09-09 15:40:15 -0700 | [diff] [blame] | 52 | allow zygote shell_data_file:file { write getattr }; |
Alex Klyubin | 82140be | 2013-09-17 10:07:01 -0700 | [diff] [blame] | 53 | allow zygote system_server:binder { transfer call }; |
Alex Klyubin | b9bbfeb | 2013-09-09 17:17:08 -0700 | [diff] [blame] | 54 | allow zygote servicemanager:binder { call }; |
Stephen Smalley | 959fdaa | 2014-01-09 08:28:06 -0500 | [diff] [blame] | 55 | |
| 56 | # For legacy unlabeled userdata on existing devices. |
| 57 | # See discussion of Unlabeled files in domain.te for more information. |
| 58 | # This rule is for dalvikcache mmap/mprotect PROT_EXEC. |
| 59 | allow zygote unlabeled:file execute; |