75d63fcfd2
Currently, dex2oat runs in the installd sandbox, and has all the SELinux capabilities that installd does. That's too excessive. dex2oat handles untrusted user data, so we want to put it in it's own tighter sandbox. Bug: 15358102 Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
54 lines
2.1 KiB
Text
54 lines
2.1 KiB
Text
# zygote
|
|
type zygote, domain;
|
|
type zygote_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(zygote)
|
|
typeattribute zygote mlstrustedsubject;
|
|
# Override DAC on files and switch uid/gid.
|
|
allow zygote self:capability { dac_override setgid setuid fowner chown };
|
|
# Drop capabilities from bounding set.
|
|
allow zygote self:capability setpcap;
|
|
# Switch SELinux context to app domains.
|
|
allow zygote self:process setcurrent;
|
|
allow zygote system_server:process dyntransition;
|
|
allow zygote appdomain:process dyntransition;
|
|
# Allow zygote to read app /proc/pid dirs (b/10455872)
|
|
allow zygote appdomain:dir { getattr search };
|
|
allow zygote appdomain:file { r_file_perms };
|
|
# Move children into the peer process group.
|
|
allow zygote system_server:process { getpgid setpgid };
|
|
allow zygote appdomain:process { getpgid setpgid };
|
|
# Read system data.
|
|
allow zygote system_data_file:dir r_dir_perms;
|
|
allow zygote system_data_file:file r_file_perms;
|
|
# Write to /data/dalvik-cache.
|
|
allow zygote dalvikcache_data_file:dir create_dir_perms;
|
|
allow zygote dalvikcache_data_file:file create_file_perms;
|
|
# Write to /data/resource-cache
|
|
allow zygote resourcecache_data_file:dir rw_dir_perms;
|
|
allow zygote resourcecache_data_file:file create_file_perms;
|
|
# For art.
|
|
allow zygote dalvikcache_data_file:file execute;
|
|
# Execute dexopt.
|
|
allow zygote system_file:file x_file_perms;
|
|
allow zygote dex2oat_exec:file rx_file_perms;
|
|
# Control cgroups.
|
|
allow zygote cgroup:dir create_dir_perms;
|
|
allow zygote self:capability sys_admin;
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(zygote)
|
|
# Check SELinux permissions.
|
|
selinux_check_access(zygote)
|
|
# Read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(zygote)
|
|
|
|
# Setting up /storage/emulated.
|
|
allow zygote rootfs:dir mounton;
|
|
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
|
|
dontaudit zygote self:capability fsetid;
|
|
allow zygote tmpfs:dir { write create add_name setattr mounton search };
|
|
allow zygote tmpfs:filesystem mount;
|
|
allow zygote labeledfs:filesystem remount;
|
|
|
|
# Handle --invoke-with command when launching Zygote with a wrapper command.
|
|
allow zygote zygote_exec:file rx_file_perms;
|