Home | History | Annotate | Download | only in sepolicy 
      1 # zygote
      2 type zygote, domain;
      3 type zygote_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(zygote)
      6 typeattribute zygote mlstrustedsubject;
      7 # Override DAC on files and switch uid/gid.
      8 allow zygote self:capability { dac_override setgid setuid fowner chown };
      9 # Drop capabilities from bounding set.
     10 allow zygote self:capability setpcap;
     11 # Switch SELinux context to app domains.
     12 allow zygote self:process setcurrent;
     13 allow zygote system_server:process dyntransition;
     14 allow zygote appdomain:process dyntransition;
     15 # Allow zygote to read app /proc/pid dirs (b/10455872)
     16 allow zygote appdomain:dir { getattr search };
     17 allow zygote appdomain:file { r_file_perms };
     18 # Move children into the peer process group.
     19 allow zygote system_server:process { getpgid setpgid };
     20 allow zygote appdomain:process { getpgid setpgid };
     21 # Read system data.
     22 allow zygote system_data_file:dir r_dir_perms;
     23 allow zygote system_data_file:file r_file_perms;
     24 # Write to /data/dalvik-cache.
     25 allow zygote dalvikcache_data_file:dir create_dir_perms;
     26 allow zygote dalvikcache_data_file:file create_file_perms;
     27 # Create symlinks in /data/dalvik-cache
     28 allow zygote dalvikcache_data_file:lnk_file create_file_perms;
     29 # Write to /data/resource-cache
     30 allow zygote resourcecache_data_file:dir rw_dir_perms;
     31 allow zygote resourcecache_data_file:file create_file_perms;
     32 # For art.
     33 allow zygote dalvikcache_data_file:file execute;
     34 # Execute dexopt.
     35 allow zygote system_file:file x_file_perms;
     36 allow zygote dex2oat_exec:file rx_file_perms;
     37 # Control cgroups.
     38 allow zygote cgroup:dir create_dir_perms;
     39 allow zygote self:capability sys_admin;
     40 # Check validity of SELinux context before use.
     41 selinux_check_context(zygote)
     42 # Check SELinux permissions.
     43 selinux_check_access(zygote)
     44 # Read /seapp_contexts and /data/security/seapp_contexts
     45 security_access_policy(zygote)
     46 
     47 # Native bridge functionality requires that zygote replaces
     48 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
     49 allow zygote proc_cpuinfo:file mounton;
     50 
     51 # Setting up /storage/emulated.
     52 allow zygote rootfs:dir mounton;
     53 allow zygote sdcard_type:dir { write search setattr create add_name mounton };
     54 dontaudit zygote self:capability fsetid;
     55 allow zygote tmpfs:dir { write create add_name setattr mounton search };
     56 allow zygote tmpfs:filesystem mount;
     57 allow zygote labeledfs:filesystem remount;
     58 
     59 # Handle --invoke-with command when launching Zygote with a wrapper command.
     60 allow zygote zygote_exec:file rx_file_perms;
     61