zygote.te revision 6c4c27e626341a3676631ce687d006e85e0710b7
1# zygote 2type zygote, domain; 3type zygote_exec, exec_type, file_type; 4 5init_daemon_domain(zygote) 6typeattribute zygote mlstrustedsubject; 7# Override DAC on files and switch uid/gid. 8allow zygote self:capability { dac_override setgid setuid }; 9# Drop capabilities from bounding set. 10allow zygote self:capability setpcap; 11# Switch SELinux context to app domains. 12allow zygote system:process dyntransition; 13allow zygote appdomain:process dyntransition; 14# Move children into the peer process group. 15allow zygote system:process { getpgid setpgid }; 16allow zygote appdomain:process { getpgid setpgid }; 17# Write to system data. 18allow zygote system_data_file:dir rw_dir_perms; 19allow zygote system_data_file:file create_file_perms; 20allow zygote dalvikcache_data_file:dir rw_dir_perms; 21allow zygote dalvikcache_data_file:file create_file_perms; 22# Execute dexopt. 23allow zygote system_file:file x_file_perms; 24# Control cgroups. 25allow zygote cgroup:dir create_dir_perms; 26allow zygote self:capability sys_admin; 27# Check validity of SELinux context before use. 28selinux_check_context(zygote) 29# Check SELinux permissions. 30selinux_check_access(zygote) 31# Read /seapp_contexts and /data/security/seapp_contexts 32security_access_policy(zygote) 33 34# Setting up /storage/emulated. 35allow zygote rootfs:dir mounton; 36allow zygote sdcard_type:dir { write search setattr create add_name mounton }; 37dontaudit zygote self:capability fsetid; 38allow zygote tmpfs:dir { write create add_name setattr mounton search }; 39allow zygote tmpfs:filesystem mount; 40 41# Handle --invoke-with command when launching Zygote with a wrapper command. 42allow zygote zygote_exec:file { execute_no_trans open }; 43