Home | History | Annotate | Download | only in sepolicy 
      1 # zygote
      2 type zygote, domain, domain_deprecated;
      3 type zygote_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(zygote)
      6 typeattribute zygote mlstrustedsubject;
      7 # Override DAC on files and switch uid/gid.
      8 allow zygote self:capability { dac_override setgid setuid fowner chown };
      9 # Drop capabilities from bounding set.
     10 allow zygote self:capability setpcap;
     11 # Switch SELinux context to app domains.
     12 allow zygote self:process setcurrent;
     13 allow zygote system_server:process dyntransition;
     14 allow zygote { appdomain autoplay_app }:process dyntransition;
     15 # Allow zygote to read app /proc/pid dirs (b/10455872)
     16 allow zygote { appdomain autoplay_app }:dir { getattr search };
     17 allow zygote { appdomain autoplay_app }:file { r_file_perms };
     18 # Move children into the peer process group.
     19 allow zygote system_server:process { getpgid setpgid };
     20 allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
     21 # Read system data.
     22 allow zygote system_data_file:dir r_dir_perms;
     23 allow zygote system_data_file:file r_file_perms;
     24 # Write to /data/dalvik-cache.
     25 allow zygote dalvikcache_data_file:dir create_dir_perms;
     26 allow zygote dalvikcache_data_file:file create_file_perms;
     27 # Create symlinks in /data/dalvik-cache
     28 allow zygote dalvikcache_data_file:lnk_file create_file_perms;
     29 # Write to /data/resource-cache
     30 allow zygote resourcecache_data_file:dir rw_dir_perms;
     31 allow zygote resourcecache_data_file:file create_file_perms;
     32 # For art.
     33 allow zygote dalvikcache_data_file:file execute;
     34 # Execute idmap and dex2oat within zygote's own domain.
     35 # TODO:  Should either of these be transitioned to the same domain
     36 # used by installd or stay in-domain for zygote?
     37 allow zygote idmap_exec:file rx_file_perms;
     38 allow zygote dex2oat_exec:file rx_file_perms;
     39 # Control cgroups.
     40 allow zygote cgroup:dir create_dir_perms;
     41 allow zygote self:capability sys_admin;
     42 # Check validity of SELinux context before use.
     43 selinux_check_context(zygote)
     44 # Check SELinux permissions.
     45 selinux_check_access(zygote)
     46 # Read /seapp_contexts and /data/security/seapp_contexts
     47 security_access_policy(zygote)
     48 
     49 # Native bridge functionality requires that zygote replaces
     50 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
     51 allow zygote proc_cpuinfo:file mounton;
     52 
     53 # Allow remounting rootfs as MS_SLAVE
     54 allow zygote rootfs:dir mounton;
     55 allow zygote tmpfs:filesystem { mount unmount };
     56 allow zygote fuse:filesystem { unmount };
     57 allow zygote sdcardfs:filesystem { unmount };
     58 
     59 # Allowed to create user-specific storage source if started before vold
     60 allow zygote mnt_user_file:dir create_dir_perms;
     61 allow zygote mnt_user_file:lnk_file create_file_perms;
     62 # Allowed to mount user-specific storage into place
     63 allow zygote storage_file:dir { search mounton };
     64 
     65 # Handle --invoke-with command when launching Zygote with a wrapper command.
     66 allow zygote zygote_exec:file rx_file_perms;
     67 
     68 # Read access to pseudo filesystems.
     69 r_dir_file(zygote, proc_net)
     70 
     71 # Root fs.
     72 allow zygote rootfs:file r_file_perms;
     73 
     74 # System file accesses.
     75 allow zygote system_file:dir r_dir_perms;
     76 allow zygote system_file:file r_file_perms;
     77 
     78 userdebug_or_eng(`
     79   # Allow zygote to create and write method traces in /data/misc/trace.
     80   allow zygote method_trace_data_file:dir w_dir_perms;
     81   allow zygote method_trace_data_file:file { create w_file_perms };
     82 ')
     83 
     84 ###
     85 ### neverallow rules
     86 ###
     87 
     88 # Ensure that all types assigned to app processes are included
     89 # in the appdomain attribute, so that all allow and neverallow rules
     90 # written on appdomain are applied to all app processes.
     91 # This is achieved by ensuring that it is impossible for zygote to
     92 # setcon (dyntransition) to any types other than those associated
     93 # with appdomain plus system_server.
     94 neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
     95 
     96 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
     97 neverallow zygote {
     98   data_file_type
     99   -dalvikcache_data_file # map PROT_EXEC
    100 }:file no_x_file_perms;
    101