1# zygote 2type zygote, domain; 3type zygote_exec, exec_type, file_type; 4 5init_daemon_domain(zygote) 6typeattribute zygote mlstrustedsubject; 7# Override DAC on files and switch uid/gid. 8allow zygote self:capability { dac_override setgid setuid fowner }; 9# Drop capabilities from bounding set. 10allow zygote self:capability setpcap; 11# Switch SELinux context to app domains. 12allow zygote system:process dyntransition; 13allow zygote appdomain:process dyntransition; 14# Allow zygote to read + write app data dirs (b/10455872 and b/10498304) 15allow zygote appdomain:dir { getattr search }; 16allow zygote appdomain:file { r_file_perms write }; 17# Move children into the peer process group. 18allow zygote system:process { getpgid setpgid }; 19allow zygote appdomain:process { getpgid setpgid }; 20# Write to system data. 21allow zygote system_data_file:dir rw_dir_perms; 22allow zygote system_data_file:file create_file_perms; 23allow zygote dalvikcache_data_file:dir rw_dir_perms; 24allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms }; 25# Execute dexopt. 26allow zygote system_file:file x_file_perms; 27# Control cgroups. 28allow zygote cgroup:dir create_dir_perms; 29allow zygote self:capability sys_admin; 30# Check validity of SELinux context before use. 31selinux_check_context(zygote) 32# Check SELinux permissions. 33selinux_check_access(zygote) 34# Read /seapp_contexts and /data/security/seapp_contexts 35security_access_policy(zygote) 36 37# Setting up /storage/emulated. 38allow zygote rootfs:dir mounton; 39allow zygote sdcard_type:dir { write search setattr create add_name mounton }; 40dontaudit zygote self:capability fsetid; 41allow zygote tmpfs:dir { write create add_name setattr mounton search }; 42allow zygote tmpfs:filesystem mount; 43allow zygote labeledfs:filesystem remount; 44 45# Handle --invoke-with command when launching Zygote with a wrapper command. 46allow zygote zygote_exec:file { execute_no_trans open }; 47 48# handle bugreports b/10498304 49allow zygote ashmem_device:chr_file execute; 50allow zygote init:binder call; 51allow zygote shell_data_file:file { write getattr }; 52allow zygote system:binder { transfer call }; 53allow zygote servicemanager:binder { call }; 54