2017-01-26 20:16:40 +01:00
|
|
|
# zygote
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute zygote coredomain;
|
2017-01-26 20:16:40 +01:00
|
|
|
typeattribute zygote mlstrustedsubject;
|
|
|
|
|
2016-07-22 22:13:11 +02:00
|
|
|
init_daemon_domain(zygote)
|
2019-06-17 15:20:23 +02:00
|
|
|
tmpfs_domain(zygote)
|
2017-01-26 20:16:40 +01:00
|
|
|
|
2016-11-08 00:11:39 +01:00
|
|
|
read_runtime_log_tags(zygote)
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Override DAC on files and switch uid/gid.
|
2018-09-07 00:19:40 +02:00
|
|
|
allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Drop capabilities from bounding set.
|
2017-11-09 23:51:26 +01:00
|
|
|
allow zygote self:global_capability_class_set setpcap;
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Switch SELinux context to app domains.
|
|
|
|
allow zygote self:process setcurrent;
|
2018-10-04 19:57:29 +02:00
|
|
|
allow zygote system_server_startup:process dyntransition;
|
2017-01-26 20:16:40 +01:00
|
|
|
allow zygote appdomain:process dyntransition;
|
2018-01-30 16:54:33 +01:00
|
|
|
allow zygote webview_zygote:process dyntransition;
|
2018-11-05 11:39:15 +01:00
|
|
|
allow zygote app_zygote:process dyntransition;
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Allow zygote to read app /proc/pid dirs (b/10455872).
|
|
|
|
allow zygote appdomain:dir { getattr search };
|
|
|
|
allow zygote appdomain:file { r_file_perms };
|
|
|
|
|
2021-03-11 20:32:47 +01:00
|
|
|
userfaultfd_use(zygote)
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Move children into the peer process group.
|
|
|
|
allow zygote system_server:process { getpgid setpgid };
|
|
|
|
allow zygote appdomain:process { getpgid setpgid };
|
2018-02-21 22:34:10 +01:00
|
|
|
allow zygote webview_zygote:process { getpgid setpgid };
|
2018-11-05 11:39:15 +01:00
|
|
|
allow zygote app_zygote:process { getpgid setpgid };
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Read system data.
|
|
|
|
allow zygote system_data_file:dir r_dir_perms;
|
|
|
|
allow zygote system_data_file:file r_file_perms;
|
|
|
|
|
2022-04-27 06:39:17 +02:00
|
|
|
# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
|
|
|
|
allow zygote mnt_expand_file:dir getattr;
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Write to /data/dalvik-cache.
|
|
|
|
allow zygote dalvikcache_data_file:dir create_dir_perms;
|
|
|
|
allow zygote dalvikcache_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Create symlinks in /data/dalvik-cache.
|
|
|
|
allow zygote dalvikcache_data_file:lnk_file create_file_perms;
|
|
|
|
|
|
|
|
# Write to /data/resource-cache.
|
|
|
|
allow zygote resourcecache_data_file:dir rw_dir_perms;
|
|
|
|
allow zygote resourcecache_data_file:file create_file_perms;
|
|
|
|
|
2019-03-14 17:42:12 +01:00
|
|
|
# For updateability, the zygote may fetch the current boot
|
|
|
|
# classpath from the dalvik cache. Integrity of the files
|
|
|
|
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
|
|
|
|
allow zygote dalvikcache_data_file:file execute;
|
2017-01-26 20:16:40 +01:00
|
|
|
|
2020-10-16 16:29:55 +02:00
|
|
|
# Allow zygote to find files in APEX data directories.
|
|
|
|
allow zygote apex_module_data_file:dir search;
|
|
|
|
|
|
|
|
# Allow zygote to find and map files created by on device signing.
|
|
|
|
allow zygote apex_art_data_file:dir { getattr search };
|
|
|
|
allow zygote apex_art_data_file:file { r_file_perms execute };
|
|
|
|
|
2022-04-27 06:39:17 +02:00
|
|
|
# Mount tmpfs over various directories containing per-app directories, to hide
|
|
|
|
# them for app data isolation. Also traverse these directories (via
|
|
|
|
# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
|
|
|
|
allow zygote {
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# /data/user{,_de}, /mnt/expand/$volume/user{,_de}
|
|
|
|
system_userdir_file
|
|
|
|
# /data/data
|
2022-04-27 06:39:17 +02:00
|
|
|
system_data_file
|
|
|
|
# /data/misc/profiles/cur
|
|
|
|
user_profile_root_file
|
|
|
|
# /data/misc/profiles/ref
|
|
|
|
user_profile_data_file
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# /storage/emulated/$userId/Android/{data,obb}
|
2022-04-27 06:39:17 +02:00
|
|
|
media_rw_data_file
|
2023-08-16 01:41:17 +02:00
|
|
|
# /dev/__properties__
|
|
|
|
properties_device
|
2022-04-27 06:39:17 +02:00
|
|
|
}:dir { mounton search };
|
|
|
|
|
|
|
|
# Traverse /data_mirror to get to the above directories while their normal paths
|
|
|
|
# are hidden, in order to bind-mount allowlisted per-app directories.
|
|
|
|
allow zygote mirror_data_file:dir search;
|
|
|
|
|
|
|
|
# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
|
|
|
|
# need to be hidden by app data isolation, and traverse /mnt/expand to get to
|
|
|
|
# any allowlisted per-app directories within these directories.
|
|
|
|
allow zygote mnt_expand_file:dir { open read search };
|
|
|
|
|
|
|
|
# Get the inode number of app CE data directories to find them by inode number
|
|
|
|
# when CE storage is locked. Needed for app data isolation.
|
|
|
|
allow zygote app_data_file_type:dir getattr;
|
|
|
|
|
|
|
|
# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
|
2019-12-13 13:30:26 +01:00
|
|
|
allow zygote tmpfs:dir { create_dir_perms mounton };
|
|
|
|
|
2022-04-27 06:39:17 +02:00
|
|
|
# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
|
|
|
|
# when setting up app data isolation.
|
|
|
|
allow zygote tmpfs:lnk_file create;
|
2020-02-17 20:34:43 +01:00
|
|
|
|
2022-05-20 13:24:32 +02:00
|
|
|
# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
|
2022-04-27 06:39:17 +02:00
|
|
|
# standard labels. Note: it seems that not all dirs are actually relabeled yet,
|
|
|
|
# but it works anyway since all domains can search tmpfs:dir.
|
|
|
|
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
allow zygote system_userdir_file:dir relabelto;
|
2022-04-27 06:39:17 +02:00
|
|
|
allow zygote system_data_file:{ dir lnk_file } relabelto;
|
2022-05-20 13:24:32 +02:00
|
|
|
allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
|
2021-03-19 16:28:56 +01:00
|
|
|
|
2020-02-17 20:34:43 +01:00
|
|
|
# Read if sdcardfs is supported
|
|
|
|
allow zygote proc_filesystems:file r_file_perms;
|
|
|
|
|
2018-11-17 20:44:19 +01:00
|
|
|
# Allow zygote to create JIT memory.
|
|
|
|
allow zygote self:process execmem;
|
2019-06-17 15:20:23 +02:00
|
|
|
allow zygote zygote_tmpfs:file execute;
|
2019-10-16 00:26:56 +02:00
|
|
|
allow zygote ashmem_libcutils_device:chr_file execute;
|
2018-11-17 20:44:19 +01:00
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Execute idmap and dex2oat within zygote's own domain.
|
|
|
|
# TODO: Should either of these be transitioned to the same domain
|
|
|
|
# used by installd or stay in-domain for zygote?
|
|
|
|
allow zygote idmap_exec:file rx_file_perms;
|
|
|
|
allow zygote dex2oat_exec:file rx_file_perms;
|
|
|
|
|
2017-04-08 10:00:55 +02:00
|
|
|
# Allow apps access to /vendor/overlay
|
|
|
|
r_dir_file(zygote, vendor_overlay_file)
|
2017-04-06 01:16:13 +02:00
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Control cgroups.
|
|
|
|
allow zygote cgroup:dir create_dir_perms;
|
2021-12-16 23:14:29 +01:00
|
|
|
allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
|
2021-02-12 00:18:11 +01:00
|
|
|
allow zygote cgroup_v2:dir create_dir_perms;
|
|
|
|
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
|
2017-11-09 23:51:26 +01:00
|
|
|
allow zygote self:global_capability_class_set sys_admin;
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Allow zygote to stat the files that it opens. The zygote must
|
|
|
|
# be able to inspect them so that it can reopen them on fork
|
|
|
|
# if necessary: b/30963384.
|
|
|
|
allow zygote pmsg_device:chr_file getattr;
|
|
|
|
allow zygote debugfs_trace_marker:file getattr;
|
|
|
|
|
2017-03-27 19:57:07 +02:00
|
|
|
# Get seapp_contexts
|
|
|
|
allow zygote seapp_contexts_file:file r_file_perms;
|
2017-01-26 20:16:40 +01:00
|
|
|
# Check validity of SELinux context before use.
|
|
|
|
selinux_check_context(zygote)
|
|
|
|
# Check SELinux permissions.
|
|
|
|
selinux_check_access(zygote)
|
|
|
|
|
|
|
|
# Native bridge functionality requires that zygote replaces
|
|
|
|
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
|
|
|
|
allow zygote proc_cpuinfo:file mounton;
|
|
|
|
|
|
|
|
# Allow remounting rootfs as MS_SLAVE.
|
|
|
|
allow zygote rootfs:dir mounton;
|
|
|
|
allow zygote tmpfs:filesystem { mount unmount };
|
|
|
|
allow zygote fuse:filesystem { unmount };
|
|
|
|
allow zygote sdcardfs:filesystem { unmount };
|
2021-07-13 03:37:24 +02:00
|
|
|
allow zygote labeledfs:filesystem { unmount };
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Allow creating user-specific storage source if started before vold.
|
2019-02-07 00:18:51 +01:00
|
|
|
allow zygote mnt_user_file:dir { create_dir_perms mounton };
|
2017-01-26 20:16:40 +01:00
|
|
|
allow zygote mnt_user_file:lnk_file create_file_perms;
|
2018-12-13 04:09:43 +01:00
|
|
|
allow zygote mnt_user_file:file create_file_perms;
|
2020-01-13 21:42:37 +01:00
|
|
|
|
|
|
|
# Allow mounting user-specific storage source if started before vold.
|
|
|
|
allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Allowed to mount user-specific storage into place
|
|
|
|
allow zygote storage_file:dir { search mounton };
|
2019-02-14 20:48:49 +01:00
|
|
|
|
|
|
|
# Allow mounting and creating files, dirs on sdcardfs.
|
2021-06-23 10:21:49 +02:00
|
|
|
allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
|
|
|
|
allow zygote { sdcard_type fuse }:file { create_file_perms };
|
2017-01-26 20:16:40 +01:00
|
|
|
|
|
|
|
# Handle --invoke-with command when launching Zygote with a wrapper command.
|
|
|
|
allow zygote zygote_exec:file rx_file_perms;
|
|
|
|
|
2018-10-08 22:15:10 +02:00
|
|
|
# Allow zygote to write to statsd.
|
|
|
|
unix_socket_send(zygote, statsdw, statsd)
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Root fs.
|
|
|
|
r_dir_file(zygote, rootfs)
|
|
|
|
|
|
|
|
# System file accesses.
|
|
|
|
r_dir_file(zygote, system_file)
|
|
|
|
|
2019-04-17 01:00:32 +02:00
|
|
|
# /oem accesses.
|
|
|
|
allow zygote oemfs:dir search;
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
userdebug_or_eng(`
|
|
|
|
# Allow zygote to create and write method traces in /data/misc/trace.
|
|
|
|
allow zygote method_trace_data_file:dir w_dir_perms;
|
|
|
|
allow zygote method_trace_data_file:file { create w_file_perms };
|
|
|
|
')
|
|
|
|
|
|
|
|
allow zygote ion_device:chr_file r_file_perms;
|
|
|
|
allow zygote tmpfs:dir r_dir_perms;
|
|
|
|
|
2018-10-18 21:39:35 +02:00
|
|
|
allow zygote same_process_hal_file:file { execute read open getattr map };
|
|
|
|
|
2023-02-01 10:50:57 +01:00
|
|
|
# Allow zygote to read build properties for attestation feature
|
|
|
|
get_prop(zygote, build_attestation_prop)
|
|
|
|
|
2020-06-30 11:27:58 +02:00
|
|
|
# Allow the zygote to access storage properties to check if sdcardfs is enabled.
|
|
|
|
get_prop(zygote, storage_config_prop);
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
# Let the zygote access overlays so it can initialize the AssetManager.
|
|
|
|
get_prop(zygote, overlay_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
get_prop(zygote, exported_overlay_prop)
|
2017-01-26 20:16:40 +01:00
|
|
|
|
2019-01-29 18:57:11 +01:00
|
|
|
# Allow the zygote to access the runtime feature flag properties.
|
|
|
|
get_prop(zygote, device_config_runtime_native_prop)
|
2019-02-01 22:43:11 +01:00
|
|
|
get_prop(zygote, device_config_runtime_native_boot_prop)
|
2019-01-26 01:18:54 +01:00
|
|
|
|
2020-01-16 19:52:34 +01:00
|
|
|
# Allow the zygote to access window manager native boot feature flags
|
|
|
|
# to initialize WindowManager static properties.
|
|
|
|
get_prop(zygote, device_config_window_manager_native_boot_prop)
|
|
|
|
|
2018-04-11 21:06:01 +02:00
|
|
|
# ingore spurious denials
|
2021-02-12 00:18:11 +01:00
|
|
|
# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
|
|
|
|
# done to determine if the file should inherit setgid. In this case, setgid on the file is
|
|
|
|
# undesirable, so suppress the denial.
|
|
|
|
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
|
2018-04-11 21:06:01 +02:00
|
|
|
|
2021-03-03 11:57:50 +01:00
|
|
|
# Ignore spurious denials calling access() on fuse.
|
|
|
|
# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
|
|
|
|
# doesn't exist.
|
2020-03-23 17:46:42 +01:00
|
|
|
# TODO(b/151316657): avoid the denials
|
2021-03-03 11:57:50 +01:00
|
|
|
dontaudit zygote media_rw_data_file:dir { read open setattr };
|
2020-03-23 17:46:42 +01:00
|
|
|
|
2019-10-03 00:24:56 +02:00
|
|
|
# Allow zygote to use ashmem fds from system_server.
|
|
|
|
allow zygote system_server:fd use;
|
|
|
|
|
2019-12-30 06:38:38 +01:00
|
|
|
# Send unsolicited message to system_server
|
|
|
|
unix_socket_send(zygote, system_unsolzygote, system_server)
|
|
|
|
|
2020-03-07 13:15:38 +01:00
|
|
|
# Allow zygote to access media_variant_prop for static initialization
|
|
|
|
get_prop(zygote, media_variant_prop)
|
|
|
|
|
2021-07-01 14:29:37 +02:00
|
|
|
# Allow zygote to access odsign verification status
|
|
|
|
get_prop(zygote, odsign_prop)
|
|
|
|
|
2020-06-16 13:00:41 +02:00
|
|
|
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
|
|
|
|
get_prop(zygote, packagemanager_config_prop)
|
|
|
|
|
2021-02-24 00:08:56 +01:00
|
|
|
# Allow zygote to read qemu.sf.lcd_density
|
|
|
|
get_prop(zygote, qemu_sf_lcd_density_prop)
|
|
|
|
|
2022-08-04 22:58:27 +02:00
|
|
|
# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
|
|
|
|
# preloaded classes
|
|
|
|
get_prop(zygote, persist_wm_debug_prop)
|
|
|
|
|
2023-05-31 23:25:50 +02:00
|
|
|
# Allow zygote to read persist_sysui_builder_extras_prop
|
|
|
|
# and persist_sysui_ranking_update_prop
|
|
|
|
# to toggle experimental features in core preloaded classes
|
2023-04-14 21:35:46 +02:00
|
|
|
get_prop(zygote, persist_sysui_builder_extras_prop)
|
2023-05-31 23:25:50 +02:00
|
|
|
get_prop(zygote, persist_sysui_ranking_update_prop)
|
2023-04-14 21:35:46 +02:00
|
|
|
|
2020-05-11 13:49:07 +02:00
|
|
|
# Allow zygote to read /apex/apex-info-list.xml
|
|
|
|
allow zygote apex_info_file:file r_file_perms;
|
|
|
|
|
2021-10-15 21:30:49 +02:00
|
|
|
# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
|
|
|
|
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
|
|
|
allow zygote vendor_apex_file:dir { getattr search };
|
|
|
|
allow zygote vendor_apex_file:file { getattr };
|
2023-05-31 10:51:14 +02:00
|
|
|
allow zygote vendor_apex_metadata_file:dir { search };
|
2021-10-15 21:30:49 +02:00
|
|
|
|
2022-05-17 19:25:15 +02:00
|
|
|
# Allow zygote to query for compression/features.
|
|
|
|
r_dir_file(zygote, sysfs_fs_f2fs)
|
|
|
|
|
2023-07-21 07:29:24 +02:00
|
|
|
# Allow zygote to read fonts_customization.xml for preloading font files that matches device locale.
|
|
|
|
allow zygote system_font_fallback_file:file r_file_perms;
|
|
|
|
|
2017-01-26 20:16:40 +01:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Ensure that all types assigned to app processes are included
|
|
|
|
# in the appdomain attribute, so that all allow and neverallow rules
|
|
|
|
# written on appdomain are applied to all app processes.
|
|
|
|
# This is achieved by ensuring that it is impossible for zygote to
|
|
|
|
# setcon (dyntransition) to any types other than those associated
|
2018-11-05 11:39:15 +01:00
|
|
|
# with appdomain plus system_server_startup, webview_zygote and
|
|
|
|
# app_zygote.
|
2018-10-04 19:57:29 +02:00
|
|
|
neverallow zygote ~{
|
|
|
|
appdomain
|
|
|
|
system_server_startup
|
|
|
|
webview_zygote
|
2018-11-05 11:39:15 +01:00
|
|
|
app_zygote
|
2018-10-04 19:57:29 +02:00
|
|
|
}:process dyntransition;
|
2017-01-26 20:16:40 +01:00
|
|
|
|
2020-10-16 16:29:55 +02:00
|
|
|
# Zygote should never execute anything from /data except for
|
|
|
|
# /data/dalvik-cache files or files generated during on-device
|
|
|
|
# signing under /data/misc/apexdata/com.android.art/.
|
2017-01-26 20:16:40 +01:00
|
|
|
neverallow zygote {
|
|
|
|
data_file_type
|
2020-10-16 16:29:55 +02:00
|
|
|
-apex_art_data_file # map PROT_EXEC
|
2017-01-26 20:16:40 +01:00
|
|
|
-dalvikcache_data_file # map PROT_EXEC
|
|
|
|
}:file no_x_file_perms;
|
|
|
|
|
|
|
|
# Do not allow access to Bluetooth-related system properties and files
|
2018-04-09 05:07:32 +02:00
|
|
|
neverallow zygote {
|
|
|
|
bluetooth_a2dp_offload_prop
|
2019-03-18 04:07:32 +01:00
|
|
|
bluetooth_audio_hal_prop
|
2018-04-09 05:07:32 +02:00
|
|
|
bluetooth_prop
|
|
|
|
exported_bluetooth_prop
|
|
|
|
}:file create_file_perms;
|
2019-12-13 13:30:26 +01:00
|
|
|
|
2020-01-09 15:44:19 +01:00
|
|
|
# Zygote should not be able to access app private data.
|
2020-10-27 18:35:33 +01:00
|
|
|
neverallow zygote app_data_file_type:dir ~getattr;
|