1# zygote 2type zygote, domain; 3type zygote_exec, exec_type, file_type; 4 5init_daemon_domain(zygote) 6typeattribute zygote mlstrustedsubject; 7# Override DAC on files and switch uid/gid. 8allow zygote self:capability { dac_override setgid setuid fowner chown }; 9# Drop capabilities from bounding set. 10allow zygote self:capability setpcap; 11# Switch SELinux context to app domains. 12allow zygote self:process setcurrent; 13allow zygote system_server:process dyntransition; 14allow zygote appdomain:process dyntransition; 15# Allow zygote to read app /proc/pid dirs (b/10455872) 16allow zygote appdomain:dir { getattr search }; 17allow zygote appdomain:file { r_file_perms }; 18# Move children into the peer process group. 19allow zygote system_server:process { getpgid setpgid }; 20allow zygote appdomain:process { getpgid setpgid }; 21# Read system data. 22allow zygote system_data_file:dir r_dir_perms; 23allow zygote system_data_file:file r_file_perms; 24# Write to /data/dalvik-cache. 25allow zygote dalvikcache_data_file:dir create_dir_perms; 26allow zygote dalvikcache_data_file:file create_file_perms; 27# Create symlinks in /data/dalvik-cache 28allow zygote dalvikcache_data_file:lnk_file create_file_perms; 29# Write to /data/resource-cache 30allow zygote resourcecache_data_file:dir rw_dir_perms; 31allow zygote resourcecache_data_file:file create_file_perms; 32# For art. 33allow zygote dalvikcache_data_file:file execute; 34# Execute dexopt. 35allow zygote system_file:file x_file_perms; 36allow zygote dex2oat_exec:file rx_file_perms; 37# Control cgroups. 38allow zygote cgroup:dir create_dir_perms; 39allow zygote self:capability sys_admin; 40# Check validity of SELinux context before use. 41selinux_check_context(zygote) 42# Check SELinux permissions. 43selinux_check_access(zygote) 44# Read /seapp_contexts and /data/security/seapp_contexts 45security_access_policy(zygote) 46 47# Native bridge functionality requires that zygote replaces 48# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount 49allow zygote proc_cpuinfo:file mounton; 50 51# Allow remounting rootfs as MS_SLAVE 52allow zygote rootfs:dir mounton; 53allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M 54dontaudit zygote self:capability fsetid; # TODO: deprecated in M 55allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M 56allow zygote tmpfs:filesystem { mount unmount }; 57allow zygote fuse:filesystem { unmount }; 58allow zygote labeledfs:filesystem remount; # TODO: deprecated in M 59 60# Allowed to create user-specific storage source if started before vold 61allow zygote mnt_user_file:dir create_dir_perms; 62allow zygote mnt_user_file:lnk_file create_file_perms; 63# Allowed to mount user-specific storage into place 64allow zygote storage_file:dir { search mounton }; 65 66# Handle --invoke-with command when launching Zygote with a wrapper command. 67allow zygote zygote_exec:file rx_file_perms; 68 69### 70### neverallow rules 71### 72 73# Ensure that all types assigned to app processes are included 74# in the appdomain attribute, so that all allow and neverallow rules 75# written on appdomain are applied to all app processes. 76# This is achieved by ensuring that it is impossible for zygote to 77# setcon (dyntransition) to any types other than those associated 78# with appdomain plus system_server. 79neverallow zygote ~{ appdomain system_server }:process dyntransition; 80