blob: 24e4189e0b4e331ffe2ddb561fd8510e9f8a94ae [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001# zygote
2type zygote, domain;
3type zygote_exec, exec_type, file_type;
4
5init_daemon_domain(zygote)
6typeattribute zygote mlstrustedsubject;
7# Override DAC on files and switch uid/gid.
8allow zygote self:capability { dac_override setgid setuid };
Stephen Smalleye4680162013-02-19 13:17:38 -05009# Drop capabilities from bounding set.
10allow zygote self:capability setpcap;
Stephen Smalley2dd4e512012-01-04 12:33:27 -050011# Switch SELinux context to app domains.
12allow zygote system:process dyntransition;
13allow zygote appdomain:process dyntransition;
14# Move children into the peer process group.
15allow zygote system:process { getpgid setpgid };
16allow zygote appdomain:process { getpgid setpgid };
17# Write to system data.
18allow zygote system_data_file:dir rw_dir_perms;
19allow zygote system_data_file:file create_file_perms;
20allow zygote dalvikcache_data_file:dir rw_dir_perms;
21allow zygote dalvikcache_data_file:file create_file_perms;
22# Execute dexopt.
23allow zygote system_file:file x_file_perms;
24# Control cgroups.
25allow zygote cgroup:dir create_dir_perms;
26allow zygote self:capability sys_admin;
27# Check validity of SELinux context before use.
28selinux_check_context(zygote)
29# Check SELinux permissions.
30selinux_check_access(zygote)
31# Read /seapp_contexts, presently on the rootfs.
32allow zygote rootfs:file r_file_perms;
33
Stephen Smalley61c80d52012-11-16 09:06:47 -050034# Setting up /storage/emulated.
35allow zygote rootfs:dir mounton;
William Robertsc195ec32013-03-06 16:26:36 -080036allow zygote sdcard_type:dir { write search setattr create add_name mounton };
Stephen Smalley61c80d52012-11-16 09:06:47 -050037dontaudit zygote self:capability fsetid;
38allow zygote tmpfs:dir { write create add_name setattr mounton };
39allow zygote tmpfs:filesystem mount;