Home | History | Annotate | Download | only in private 
      1 # zygote
      2 typeattribute zygote coredomain;
      3 typeattribute zygote domain_deprecated;
      4 typeattribute zygote mlstrustedsubject;
      5 
      6 init_daemon_domain(zygote)
      7 
      8 read_runtime_log_tags(zygote)
      9 
     10 # Override DAC on files and switch uid/gid.
     11 allow zygote self:capability { dac_override setgid setuid fowner chown };
     12 
     13 # Drop capabilities from bounding set.
     14 allow zygote self:capability setpcap;
     15 
     16 # Switch SELinux context to app domains.
     17 allow zygote self:process setcurrent;
     18 allow zygote system_server:process dyntransition;
     19 allow zygote appdomain:process dyntransition;
     20 
     21 # Allow zygote to read app /proc/pid dirs (b/10455872).
     22 allow zygote appdomain:dir { getattr search };
     23 allow zygote appdomain:file { r_file_perms };
     24 
     25 # Move children into the peer process group.
     26 allow zygote system_server:process { getpgid setpgid };
     27 allow zygote appdomain:process { getpgid setpgid };
     28 
     29 # Read system data.
     30 allow zygote system_data_file:dir r_dir_perms;
     31 allow zygote system_data_file:file r_file_perms;
     32 
     33 # Write to /data/dalvik-cache.
     34 allow zygote dalvikcache_data_file:dir create_dir_perms;
     35 allow zygote dalvikcache_data_file:file create_file_perms;
     36 
     37 # Create symlinks in /data/dalvik-cache.
     38 allow zygote dalvikcache_data_file:lnk_file create_file_perms;
     39 
     40 # Write to /data/resource-cache.
     41 allow zygote resourcecache_data_file:dir rw_dir_perms;
     42 allow zygote resourcecache_data_file:file create_file_perms;
     43 
     44 # When WITH_DEXPREOPT is true, the zygote does not load executable content from
     45 # /data/dalvik-cache.
     46 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
     47 
     48 # Execute idmap and dex2oat within zygote's own domain.
     49 # TODO:  Should either of these be transitioned to the same domain
     50 # used by installd or stay in-domain for zygote?
     51 allow zygote idmap_exec:file rx_file_perms;
     52 allow zygote dex2oat_exec:file rx_file_perms;
     53 
     54 # Allow apps access to /vendor/overlay
     55 r_dir_file(zygote, vendor_overlay_file)
     56 
     57 # Control cgroups.
     58 allow zygote cgroup:dir create_dir_perms;
     59 allow zygote cgroup:{ file lnk_file } r_file_perms;
     60 allow zygote self:capability sys_admin;
     61 
     62 # Allow zygote to stat the files that it opens. The zygote must
     63 # be able to inspect them so that it can reopen them on fork
     64 # if necessary: b/30963384.
     65 allow zygote pmsg_device:chr_file getattr;
     66 allow zygote debugfs_trace_marker:file getattr;
     67 
     68 # Get seapp_contexts
     69 allow zygote seapp_contexts_file:file r_file_perms;
     70 # Check validity of SELinux context before use.
     71 selinux_check_context(zygote)
     72 # Check SELinux permissions.
     73 selinux_check_access(zygote)
     74 
     75 # Native bridge functionality requires that zygote replaces
     76 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
     77 allow zygote proc_cpuinfo:file mounton;
     78 
     79 # Allow remounting rootfs as MS_SLAVE.
     80 allow zygote rootfs:dir mounton;
     81 allow zygote tmpfs:filesystem { mount unmount };
     82 allow zygote fuse:filesystem { unmount };
     83 allow zygote sdcardfs:filesystem { unmount };
     84 
     85 # Allow creating user-specific storage source if started before vold.
     86 allow zygote mnt_user_file:dir create_dir_perms;
     87 allow zygote mnt_user_file:lnk_file create_file_perms;
     88 # Allowed to mount user-specific storage into place
     89 allow zygote storage_file:dir { search mounton };
     90 
     91 # Handle --invoke-with command when launching Zygote with a wrapper command.
     92 allow zygote zygote_exec:file rx_file_perms;
     93 
     94 # Read access to pseudo filesystems.
     95 r_dir_file(zygote, proc_net)
     96 
     97 # Root fs.
     98 r_dir_file(zygote, rootfs)
     99 
    100 # System file accesses.
    101 r_dir_file(zygote, system_file)
    102 
    103 userdebug_or_eng(`
    104   # Allow zygote to create and write method traces in /data/misc/trace.
    105   allow zygote method_trace_data_file:dir w_dir_perms;
    106   allow zygote method_trace_data_file:file { create w_file_perms };
    107 ')
    108 
    109 allow zygote ion_device:chr_file r_file_perms;
    110 allow zygote tmpfs:dir r_dir_perms;
    111 
    112 # Let the zygote access overlays so it can initialize the AssetManager.
    113 get_prop(zygote, overlay_prop)
    114 
    115 ###
    116 ### neverallow rules
    117 ###
    118 
    119 # Ensure that all types assigned to app processes are included
    120 # in the appdomain attribute, so that all allow and neverallow rules
    121 # written on appdomain are applied to all app processes.
    122 # This is achieved by ensuring that it is impossible for zygote to
    123 # setcon (dyntransition) to any types other than those associated
    124 # with appdomain plus system_server.
    125 neverallow zygote ~{ appdomain system_server }:process dyntransition;
    126 
    127 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
    128 neverallow zygote {
    129   data_file_type
    130   -dalvikcache_data_file # map PROT_EXEC
    131 }:file no_x_file_perms;
    132 
    133 # Do not allow access to Bluetooth-related system properties and files
    134 neverallow zygote bluetooth_prop:file create_file_perms;
    135