• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# zygote
2type zygote, domain;
3type zygote_exec, exec_type, file_type;
4
5init_daemon_domain(zygote)
6typeattribute zygote mlstrustedsubject;
7# Override DAC on files and switch uid/gid.
8allow zygote self:capability { dac_override setgid setuid fowner chown };
9# Drop capabilities from bounding set.
10allow zygote self:capability setpcap;
11# Switch SELinux context to app domains.
12allow zygote self:process setcurrent;
13allow zygote system_server:process dyntransition;
14allow zygote appdomain:process dyntransition;
15# Allow zygote to read app /proc/pid dirs (b/10455872)
16allow zygote appdomain:dir { getattr search };
17allow zygote appdomain:file { r_file_perms };
18# Move children into the peer process group.
19allow zygote system_server:process { getpgid setpgid };
20allow zygote appdomain:process { getpgid setpgid };
21# Read system data.
22allow zygote system_data_file:dir r_dir_perms;
23allow zygote system_data_file:file r_file_perms;
24# Write to /data/dalvik-cache.
25allow zygote dalvikcache_data_file:dir create_dir_perms;
26allow zygote dalvikcache_data_file:file create_file_perms;
27# Create symlinks in /data/dalvik-cache
28allow zygote dalvikcache_data_file:lnk_file create_file_perms;
29# Write to /data/resource-cache
30allow zygote resourcecache_data_file:dir rw_dir_perms;
31allow zygote resourcecache_data_file:file create_file_perms;
32# For art.
33allow zygote dalvikcache_data_file:file execute;
34# Execute dexopt.
35allow zygote system_file:file x_file_perms;
36allow zygote dex2oat_exec:file rx_file_perms;
37# Control cgroups.
38allow zygote cgroup:dir create_dir_perms;
39allow zygote self:capability sys_admin;
40# Check validity of SELinux context before use.
41selinux_check_context(zygote)
42# Check SELinux permissions.
43selinux_check_access(zygote)
44# Read /seapp_contexts and /data/security/seapp_contexts
45security_access_policy(zygote)
46
47# Native bridge functionality requires that zygote replaces
48# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
49allow zygote proc_cpuinfo:file mounton;
50
51# Setting up /storage/emulated.
52allow zygote rootfs:dir mounton;
53allow zygote sdcard_type:dir { write search setattr create add_name mounton };
54dontaudit zygote self:capability fsetid;
55allow zygote tmpfs:dir { write create add_name setattr mounton search };
56allow zygote tmpfs:filesystem mount;
57allow zygote labeledfs:filesystem remount;
58
59# Handle --invoke-with command when launching Zygote with a wrapper command.
60allow zygote zygote_exec:file rx_file_perms;
61