Domů Procházet Nápověda
Registrovat se Přihlásit se
drachfly
/
android10
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 6b68537209
Větve Značky
android10
/
system
/
sepolicy
/
private
/
zygote.te

zygote.te 6.1 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. # zygote
    2. 

  2. typeattribute zygote coredomain;
    3. 

  3. typeattribute zygote mlstrustedsubject;
    4. 

  4. 

  5. init_daemon_domain(zygote)
    6. 

  6. 

  7. read_runtime_log_tags(zygote)
    8. 

  8. 

  9. # Override DAC on files and switch uid/gid.
    10. 

  10. allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
    11. 

  11. 

  12. # Drop capabilities from bounding set.
    13. 

  13. allow zygote self:global_capability_class_set setpcap;
    14. 

  14. 

  15. # Switch SELinux context to app domains.
    16. 

  16. allow zygote self:process setcurrent;
    17. 

  17. allow zygote system_server_startup:process dyntransition;
    18. 

  18. allow zygote appdomain:process dyntransition;
    19. 

  19. allow zygote webview_zygote:process dyntransition;
    20. 

  20. allow zygote app_zygote:process dyntransition;
    21. 

  21. 

  22. # Allow zygote to read app /proc/pid dirs (b/10455872).
    23. 

  23. allow zygote appdomain:dir { getattr search };
    24. 

  24. allow zygote appdomain:file { r_file_perms };
    25. 

  25. 

  26. # Move children into the peer process group.
    27. 

  27. allow zygote system_server:process { getpgid setpgid };
    28. 

  28. allow zygote appdomain:process { getpgid setpgid };
    29. 

  29. allow zygote webview_zygote:process { getpgid setpgid };
    30. 

  30. allow zygote app_zygote:process { getpgid setpgid };
    31. 

  31. 

  32. # Read system data.
    33. 

  33. allow zygote system_data_file:dir r_dir_perms;
    34. 

  34. allow zygote system_data_file:file r_file_perms;
    35. 

  35. 

  36. # Write to /data/dalvik-cache.
    37. 

  37. allow zygote dalvikcache_data_file:dir create_dir_perms;
    38. 

  38. allow zygote dalvikcache_data_file:file create_file_perms;
    39. 

  39. 

  40. # Create symlinks in /data/dalvik-cache.
    41. 

  41. allow zygote dalvikcache_data_file:lnk_file create_file_perms;
    42. 

  42. 

  43. # Write to /data/resource-cache.
    44. 

  44. allow zygote resourcecache_data_file:dir rw_dir_perms;
    45. 

  45. allow zygote resourcecache_data_file:file create_file_perms;
    46. 

  46. 

  47. # For updateability, the zygote may fetch the current boot
    48. 

  48. # classpath from the dalvik cache. Integrity of the files
    49. 

  49. # is ensured by fsverity protection (checked in art_apex_boot_integrity).
    50. 

  50. allow zygote dalvikcache_data_file:file execute;
    51. 

  51. 

  52. # Allow zygote to create JIT memory.
    53. 

  53. allow zygote self:process execmem;
    54. 

  54. 

  55. # Execute idmap and dex2oat within zygote's own domain.
    56. 

  56. # TODO:  Should either of these be transitioned to the same domain
    57. 

  57. # used by installd or stay in-domain for zygote?
    58. 

  58. allow zygote idmap_exec:file rx_file_perms;
    59. 

  59. allow zygote dex2oat_exec:file rx_file_perms;
    60. 

  60. 

  61. # Allow apps access to /vendor/overlay
    62. 

  62. r_dir_file(zygote, vendor_overlay_file)
    63. 

  63. 

  64. # Control cgroups.
    65. 

  65. allow zygote cgroup:dir create_dir_perms;
    66. 

  66. allow zygote cgroup:{ file lnk_file } r_file_perms;
    67. 

  67. allow zygote self:global_capability_class_set sys_admin;
    68. 

  68. 

  69. # Allow zygote to stat the files that it opens. The zygote must
    70. 

  70. # be able to inspect them so that it can reopen them on fork
    71. 

  71. # if necessary: b/30963384.
    72. 

  72. allow zygote pmsg_device:chr_file getattr;
    73. 

  73. allow zygote debugfs_trace_marker:file getattr;
    74. 

  74. 

  75. # Get seapp_contexts
    76. 

  76. allow zygote seapp_contexts_file:file r_file_perms;
    77. 

  77. # Check validity of SELinux context before use.
    78. 

  78. selinux_check_context(zygote)
    79. 

  79. # Check SELinux permissions.
    80. 

  80. selinux_check_access(zygote)
    81. 

  81. 

  82. # Native bridge functionality requires that zygote replaces
    83. 

  83. # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
    84. 

  84. allow zygote proc_cpuinfo:file mounton;
    85. 

  85. 

  86. # Allow remounting rootfs as MS_SLAVE.
    87. 

  87. allow zygote rootfs:dir mounton;
    88. 

  88. allow zygote tmpfs:filesystem { mount unmount };
    89. 

  89. allow zygote fuse:filesystem { unmount };
    90. 

  90. allow zygote sdcardfs:filesystem { unmount };
    91. 

  91. 

  92. # Allow creating user-specific storage source if started before vold.
    93. 

  93. allow zygote mnt_user_file:dir { create_dir_perms mounton };
    94. 

  94. allow zygote mnt_user_file:lnk_file create_file_perms;
    95. 

  95. allow zygote mnt_user_file:file create_file_perms;
    96. 

  96. # Allowed to mount user-specific storage into place
    97. 

  97. allow zygote storage_file:dir { search mounton };
    98. 

  98. 

  99. # Allow mounting and creating files, dirs on sdcardfs.
    100. 

  100. # TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
    101. 

  101. # (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
    102. 

  102. # sdcardfs simply wraps files stored under /data/media.)
    103. 

  103. allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
    104. 

  104. allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
    105. 

  105. 

  106. # Allow zygote to expand app files while preloading libraries
    107. 

  107. allow zygote mnt_expand_file:dir getattr;
    108. 

  108. 

  109. # Handle --invoke-with command when launching Zygote with a wrapper command.
    110. 

  110. allow zygote zygote_exec:file rx_file_perms;
    111. 

  111. 

  112. # Allow zygote to write to statsd.
    113. 

  113. unix_socket_send(zygote, statsdw, statsd)
    114. 

  114. 

  115. # Root fs.
    116. 

  116. r_dir_file(zygote, rootfs)
    117. 

  117. 

  118. # System file accesses.
    119. 

  119. r_dir_file(zygote, system_file)
    120. 

  120. 

  121. # /oem accesses.
    122. 

  122. allow zygote oemfs:dir search;
    123. 

  123. 

  124. userdebug_or_eng(`
    125. 

  125.   # Allow zygote to create and write method traces in /data/misc/trace.
    126. 

  126.   allow zygote method_trace_data_file:dir w_dir_perms;
    127. 

  127.   allow zygote method_trace_data_file:file { create w_file_perms };
    128. 

  128. ')
    129. 

  129. 

  130. allow zygote ion_device:chr_file r_file_perms;
    131. 

  131. allow zygote tmpfs:dir r_dir_perms;
    132. 

  132. 

  133. allow zygote same_process_hal_file:file { execute read open getattr map };
    134. 

  134. 

  135. # Let the zygote access overlays so it can initialize the AssetManager.
    136. 

  136. get_prop(zygote, overlay_prop)
    137. 

  137. get_prop(zygote, exported_overlay_prop)
    138. 

  138. 

  139. # Allow the zygote to access the runtime feature flag properties.
    140. 

  140. get_prop(zygote, device_config_runtime_native_prop)
    141. 

  141. get_prop(zygote, device_config_runtime_native_boot_prop)
    142. 

  142. 

  143. # ingore spurious denials
    144. 

  144. dontaudit zygote self:global_capability_class_set sys_resource;
    145. 

  145. 

  146. ###
    147. 

  147. ### neverallow rules
    148. 

  148. ###
    149. 

  149. 

  150. # Ensure that all types assigned to app processes are included
    151. 

  151. # in the appdomain attribute, so that all allow and neverallow rules
    152. 

  152. # written on appdomain are applied to all app processes.
    153. 

  153. # This is achieved by ensuring that it is impossible for zygote to
    154. 

  154. # setcon (dyntransition) to any types other than those associated
    155. 

  155. # with appdomain plus system_server_startup, webview_zygote and
    156. 

  156. # app_zygote.
    157. 

  157. neverallow zygote ~{
    158. 

  158.   appdomain
    159. 

  159.   system_server_startup
    160. 

  160.   webview_zygote
    161. 

  161.   app_zygote
    162. 

  162. }:process dyntransition;
    163. 

  163. 

  164. # Zygote should never execute anything from /data except for /data/dalvik-cache files.
    165. 

  165. neverallow zygote {
    166. 

  166.   data_file_type
    167. 

  167.   -dalvikcache_data_file # map PROT_EXEC
    168. 

  168. }:file no_x_file_perms;
    169. 

  169. 

  170. # Do not allow access to Bluetooth-related system properties and files
    171. 

  171. neverallow zygote {
    172. 

  172.   bluetooth_a2dp_offload_prop
    173. 

  173.   bluetooth_audio_hal_prop
    174. 

  174.   bluetooth_prop
    175. 

  175.   exported_bluetooth_prop
    176. 

  176. }:file create_file_perms;
    177.