Blame - zygote.te - fp2-dev/platform/external/sepolicy

blob: 4d169f3587ccb85fe57a2b03c3f5d63dc63a09b7 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# zygote
				2	type zygote, domain;
				3	type zygote_exec, exec_type, file_type;
				4
				5	init_daemon_domain(zygote)
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	6	typeattribute zygote mlstrustedsubject;
				7	# Override DAC on files and switch uid/gid.
Narayan Kamath	3a06a72	2014-04-28 15:17:29 +0100	[diff] [blame]	8	allow zygote self:capability { dac_override setgid setuid fowner chown };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	9	# Drop capabilities from bounding set.
				10	allow zygote self:capability setpcap;
				11	# Switch SELinux context to app domains.
Alex Klyubin	1fdee11	2013-09-13 15:59:04 -0700	[diff] [blame]	12	allow zygote system_server:process dyntransition;
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	13	allow zygote appdomain:process dyntransition;
Nick Kralevich	e9c4181	2013-09-20 13:09:37 -0700	[diff] [blame]	14	# Allow zygote to read app /proc/pid dirs (b/10455872)
Geremy Condra	8156073	2013-08-30 13:02:30 -0700	[diff] [blame]	15	allow zygote appdomain:dir { getattr search };
Nick Kralevich	199fc73	2013-09-20 13:03:04 -0700	[diff] [blame]	16	allow zygote appdomain:file { r_file_perms };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	17	# Move children into the peer process group.
Alex Klyubin	1fdee11	2013-09-13 15:59:04 -0700	[diff] [blame]	18	allow zygote system_server:process { getpgid setpgid };
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	19	allow zygote appdomain:process { getpgid setpgid };
Stephen Smalley	df48bd2	2014-05-14 08:58:06 -0400	[diff] [blame]	20	# Read system data.
				21	allow zygote system_data_file:dir r_dir_perms;
				22	allow zygote system_data_file:file r_file_perms;
				23	# Write to /data/dalvik-cache.
Narayan Kamath	3a06a72	2014-04-28 15:17:29 +0100	[diff] [blame]	24	allow zygote dalvikcache_data_file:dir create_dir_perms;
Stephen Smalley	49c995d	2014-01-09 09:27:15 -0500	[diff] [blame]	25	allow zygote dalvikcache_data_file:file create_file_perms;
				26	# For art.
				27	allow zygote dalvikcache_data_file:file execute;
Nick Kralevich	6aca515	2013-07-01 12:07:03 -0700	[diff] [blame]	28	# Execute dexopt.
				29	allow zygote system_file:file x_file_perms;
				30	# Control cgroups.
				31	allow zygote cgroup:dir create_dir_perms;
				32	allow zygote self:capability sys_admin;
				33	# Check validity of SELinux context before use.
				34	selinux_check_context(zygote)
				35	# Check SELinux permissions.
				36	selinux_check_access(zygote)
				37	# Read /seapp_contexts and /data/security/seapp_contexts
				38	security_access_policy(zygote)
				39
				40	# Setting up /storage/emulated.
				41	allow zygote rootfs:dir mounton;
				42	allow zygote sdcard_type:dir { write search setattr create add_name mounton };
				43	dontaudit zygote self:capability fsetid;
				44	allow zygote tmpfs:dir { write create add_name setattr mounton search };
				45	allow zygote tmpfs:filesystem mount;
				46	allow zygote labeledfs:filesystem remount;
				47
				48	# Handle --invoke-with command when launching Zygote with a wrapper command.
Stephen Smalley	3bfdc6b	2014-03-10 10:31:09 -0400	[diff] [blame]	49	allow zygote zygote_exec:file rx_file_perms;