Home | History | Annotate | Download | only in sepolicy 
      1 # zygote
      2 type zygote, domain;
      3 type zygote_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(zygote)
      6 typeattribute zygote mlstrustedsubject;
      7 # Override DAC on files and switch uid/gid.
      8 allow zygote self:capability { dac_override setgid setuid fowner chown };
      9 # Drop capabilities from bounding set.
     10 allow zygote self:capability setpcap;
     11 # Switch SELinux context to app domains.
     12 allow zygote self:process setcurrent;
     13 allow zygote system_server:process dyntransition;
     14 allow zygote appdomain:process dyntransition;
     15 # Allow zygote to read app /proc/pid dirs (b/10455872)
     16 allow zygote appdomain:dir { getattr search };
     17 allow zygote appdomain:file { r_file_perms };
     18 # Move children into the peer process group.
     19 allow zygote system_server:process { getpgid setpgid };
     20 allow zygote appdomain:process { getpgid setpgid };
     21 # Read system data.
     22 allow zygote system_data_file:dir r_dir_perms;
     23 allow zygote system_data_file:file r_file_perms;
     24 # Read system security data.
     25 allow zygote keychain_data_file:dir r_dir_perms;
     26 allow zygote keychain_data_file:file r_file_perms;
     27 # Write to /data/dalvik-cache.
     28 allow zygote dalvikcache_data_file:dir create_dir_perms;
     29 allow zygote dalvikcache_data_file:file create_file_perms;
     30 # Write to /data/resource-cache
     31 allow zygote resourcecache_data_file:dir rw_dir_perms;
     32 allow zygote resourcecache_data_file:file create_file_perms;
     33 # For art.
     34 allow zygote dalvikcache_data_file:file execute;
     35 # Execute dexopt.
     36 allow zygote system_file:file x_file_perms;
     37 allow zygote dex2oat_exec:file rx_file_perms;
     38 # Control cgroups.
     39 allow zygote cgroup:dir create_dir_perms;
     40 allow zygote self:capability sys_admin;
     41 # Check validity of SELinux context before use.
     42 selinux_check_context(zygote)
     43 # Check SELinux permissions.
     44 selinux_check_access(zygote)
     45 # Read /seapp_contexts and /data/security/seapp_contexts
     46 security_access_policy(zygote)
     47 
     48 # Native bridge functionality requires that zygote replaces
     49 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
     50 allow zygote proc_cpuinfo:file mounton;
     51 
     52 # Setting up /storage/emulated.
     53 allow zygote rootfs:dir mounton;
     54 allow zygote sdcard_type:dir { write search setattr create add_name mounton };
     55 dontaudit zygote self:capability fsetid;
     56 allow zygote tmpfs:dir { write create add_name setattr mounton search };
     57 allow zygote tmpfs:filesystem mount;
     58 allow zygote labeledfs:filesystem remount;
     59 
     60 # Handle --invoke-with command when launching Zygote with a wrapper command.
     61 allow zygote zygote_exec:file rx_file_perms;
     62