Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # zygote |
| 2 | type zygote, domain; |
| 3 | type zygote_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(zygote) |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 6 | typeattribute zygote mlstrustedsubject; |
| 7 | # Override DAC on files and switch uid/gid. |
Narayan Kamath | 3a06a72 | 2014-04-28 15:17:29 +0100 | [diff] [blame] | 8 | allow zygote self:capability { dac_override setgid setuid fowner chown }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 9 | # Drop capabilities from bounding set. |
| 10 | allow zygote self:capability setpcap; |
| 11 | # Switch SELinux context to app domains. |
Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 12 | allow zygote self:process setcurrent; |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 13 | allow zygote system_server:process dyntransition; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 14 | allow zygote appdomain:process dyntransition; |
Nick Kralevich | e9c4181 | 2013-09-20 13:09:37 -0700 | [diff] [blame] | 15 | # Allow zygote to read app /proc/pid dirs (b/10455872) |
Geremy Condra | 8156073 | 2013-08-30 13:02:30 -0700 | [diff] [blame] | 16 | allow zygote appdomain:dir { getattr search }; |
Nick Kralevich | 199fc73 | 2013-09-20 13:03:04 -0700 | [diff] [blame] | 17 | allow zygote appdomain:file { r_file_perms }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 18 | # Move children into the peer process group. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 19 | allow zygote system_server:process { getpgid setpgid }; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 20 | allow zygote appdomain:process { getpgid setpgid }; |
Stephen Smalley | df48bd2 | 2014-05-14 08:58:06 -0400 | [diff] [blame] | 21 | # Read system data. |
| 22 | allow zygote system_data_file:dir r_dir_perms; |
| 23 | allow zygote system_data_file:file r_file_perms; |
| 24 | # Write to /data/dalvik-cache. |
Narayan Kamath | 3a06a72 | 2014-04-28 15:17:29 +0100 | [diff] [blame] | 25 | allow zygote dalvikcache_data_file:dir create_dir_perms; |
Stephen Smalley | 49c995d | 2014-01-09 09:27:15 -0500 | [diff] [blame] | 26 | allow zygote dalvikcache_data_file:file create_file_perms; |
Igor Murashkin | f7ccfd0 | 2014-10-24 14:22:12 -0700 | [diff] [blame] | 27 | # Create symlinks in /data/dalvik-cache |
| 28 | allow zygote dalvikcache_data_file:lnk_file create_file_perms; |
Nick Kralevich | fad4d5f | 2014-06-16 14:19:31 -0700 | [diff] [blame] | 29 | # Write to /data/resource-cache |
| 30 | allow zygote resourcecache_data_file:dir rw_dir_perms; |
| 31 | allow zygote resourcecache_data_file:file create_file_perms; |
Stephen Smalley | 49c995d | 2014-01-09 09:27:15 -0500 | [diff] [blame] | 32 | # For art. |
| 33 | allow zygote dalvikcache_data_file:file execute; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 34 | # Execute dexopt. |
| 35 | allow zygote system_file:file x_file_perms; |
Ed Heyl | 8ee37b4 | 2014-07-14 23:32:08 -0700 | [diff] [blame] | 36 | allow zygote dex2oat_exec:file rx_file_perms; |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 37 | # Control cgroups. |
| 38 | allow zygote cgroup:dir create_dir_perms; |
| 39 | allow zygote self:capability sys_admin; |
Peter Lee | d3349b3 | 2016-10-14 15:50:09 +0800 | [diff] [blame] | 40 | # Allow zygote to stat the files that it opens. The zygote must |
| 41 | # be able to inspect them so that it can reopen them on fork |
| 42 | # if necessary: b/30963384 |
| 43 | # allow zygote pmsg_device:chr_file { getattr }; |
| 44 | allow zygote debugfs:dir search; |
| 45 | allow zygote debugfs:file { getattr }; |
| 46 | |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 47 | # Check validity of SELinux context before use. |
| 48 | selinux_check_context(zygote) |
| 49 | # Check SELinux permissions. |
| 50 | selinux_check_access(zygote) |
| 51 | # Read /seapp_contexts and /data/security/seapp_contexts |
| 52 | security_access_policy(zygote) |
| 53 | |
Nick Kralevich | f2c0118 | 2014-09-26 10:51:12 -0700 | [diff] [blame] | 54 | # Native bridge functionality requires that zygote replaces |
| 55 | # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount |
| 56 | allow zygote proc_cpuinfo:file mounton; |
| 57 | |
Nick Kralevich | 6aca515 | 2013-07-01 12:07:03 -0700 | [diff] [blame] | 58 | # Setting up /storage/emulated. |
| 59 | allow zygote rootfs:dir mounton; |
| 60 | allow zygote sdcard_type:dir { write search setattr create add_name mounton }; |
| 61 | dontaudit zygote self:capability fsetid; |
| 62 | allow zygote tmpfs:dir { write create add_name setattr mounton search }; |
| 63 | allow zygote tmpfs:filesystem mount; |
| 64 | allow zygote labeledfs:filesystem remount; |
| 65 | |
| 66 | # Handle --invoke-with command when launching Zygote with a wrapper command. |
Stephen Smalley | 3bfdc6b | 2014-03-10 10:31:09 -0400 | [diff] [blame] | 67 | allow zygote zygote_exec:file rx_file_perms; |