Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # zygote |
| 2 | type zygote, domain; |
| 3 | type zygote_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(zygote) |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 6 | typeattribute zygote mlstrustedsubject; |
| 7 | # Override DAC on files and switch uid/gid. |
Narayan Kamath | 3a06a72 | 2014-04-28 15:17:29 +0100 | [diff] [blame] | 8 | allow zygote self:capability { dac_override setgid setuid fowner chown }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 9 | # Drop capabilities from bounding set. |
| 10 | allow zygote self:capability setpcap; |
| 11 | # Switch SELinux context to app domains. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 12 | allow zygote system_server:process dyntransition; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 13 | allow zygote appdomain:process dyntransition; |
Nick Kralevich | e9c4181 | 2013-09-20 13:09:37 -0700 | [diff] [blame] | 14 | # Allow zygote to read app /proc/pid dirs (b/10455872) |
Geremy Condra | 8156073 | 2013-08-30 13:02:30 -0700 | [diff] [blame] | 15 | allow zygote appdomain:dir { getattr search }; |
Nick Kralevich | 199fc73 | 2013-09-20 13:03:04 -0700 | [diff] [blame] | 16 | allow zygote appdomain:file { r_file_perms }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 17 | # Move children into the peer process group. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 18 | allow zygote system_server:process { getpgid setpgid }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 19 | allow zygote appdomain:process { getpgid setpgid }; |
Stephen Smalley | df48bd2 | 2014-05-14 08:58:06 -0400 | [diff] [blame] | 20 | # Read system data. |
| 21 | allow zygote system_data_file:dir r_dir_perms; |
| 22 | allow zygote system_data_file:file r_file_perms; |
| 23 | # Write to /data/dalvik-cache. |
Narayan Kamath | 3a06a72 | 2014-04-28 15:17:29 +0100 | [diff] [blame] | 24 | allow zygote dalvikcache_data_file:dir create_dir_perms; |
Stephen Smalley | 49c995d | 2014-01-09 09:27:15 -0500 | [diff] [blame] | 25 | allow zygote dalvikcache_data_file:file create_file_perms; |
| 26 | # For art. |
| 27 | allow zygote dalvikcache_data_file:file execute; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 28 | # Execute dexopt. |
| 29 | allow zygote system_file:file x_file_perms; |
| 30 | # Control cgroups. |
| 31 | allow zygote cgroup:dir create_dir_perms; |
| 32 | allow zygote self:capability sys_admin; |
| 33 | # Check validity of SELinux context before use. |
| 34 | selinux_check_context(zygote) |
| 35 | # Check SELinux permissions. |
| 36 | selinux_check_access(zygote) |
| 37 | # Read /seapp_contexts and /data/security/seapp_contexts |
| 38 | security_access_policy(zygote) |
| 39 | |
| 40 | # Setting up /storage/emulated. |
| 41 | allow zygote rootfs:dir mounton; |
| 42 | allow zygote sdcard_type:dir { write search setattr create add_name mounton }; |
| 43 | dontaudit zygote self:capability fsetid; |
| 44 | allow zygote tmpfs:dir { write create add_name setattr mounton search }; |
| 45 | allow zygote tmpfs:filesystem mount; |
| 46 | allow zygote labeledfs:filesystem remount; |
| 47 | |
| 48 | # Handle --invoke-with command when launching Zygote with a wrapper command. |
Stephen Smalley | 3bfdc6b | 2014-03-10 10:31:09 -0400 | [diff] [blame] | 49 | allow zygote zygote_exec:file rx_file_perms; |