1# zygote
2typeattribute zygote coredomain;
3typeattribute zygote mlstrustedsubject;
4
5init_daemon_domain(zygote)
6tmpfs_domain(zygote)
7
8read_runtime_log_tags(zygote)
9
10# Override DAC on files and switch uid/gid.
11allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
12
13# Drop capabilities from bounding set.
14allow zygote self:global_capability_class_set setpcap;
15
16# Switch SELinux context to app domains.
17allow zygote self:process setcurrent;
18allow zygote system_server_startup:process dyntransition;
19allow zygote appdomain:process dyntransition;
20allow zygote webview_zygote:process dyntransition;
21allow zygote app_zygote:process dyntransition;
22
23# Allow zygote to read app /proc/pid dirs (b/10455872).
24allow zygote appdomain:dir { getattr search };
25allow zygote appdomain:file { r_file_perms };
26
27userfaultfd_use(zygote)
28
29# Move children into the peer process group.
30allow zygote system_server:process { getpgid setpgid };
31allow zygote appdomain:process { getpgid setpgid };
32allow zygote webview_zygote:process { getpgid setpgid };
33allow zygote app_zygote:process { getpgid setpgid };
34
35# Read system data.
36allow zygote system_data_file:dir r_dir_perms;
37allow zygote system_data_file:file r_file_perms;
38
39# Write to /data/dalvik-cache.
40allow zygote dalvikcache_data_file:dir create_dir_perms;
41allow zygote dalvikcache_data_file:file create_file_perms;
42
43# Create symlinks in /data/dalvik-cache.
44allow zygote dalvikcache_data_file:lnk_file create_file_perms;
45
46# Write to /data/resource-cache.
47allow zygote resourcecache_data_file:dir rw_dir_perms;
48allow zygote resourcecache_data_file:file create_file_perms;
49
50# For updateability, the zygote may fetch the current boot
51# classpath from the dalvik cache. Integrity of the files
52# is ensured by fsverity protection (checked in art_apex_boot_integrity).
53allow zygote dalvikcache_data_file:file execute;
54
55# Allow zygote to find files in APEX data directories.
56allow zygote apex_module_data_file:dir search;
57
58# Allow zygote to find and map files created by on device signing.
59allow zygote apex_art_data_file:dir { getattr search };
60allow zygote apex_art_data_file:file { r_file_perms execute };
61
62# Bind mount on /data/data and mounted volumes
63allow zygote { system_data_file mnt_expand_file }:dir mounton;
64
65# Relabel /data/user /data/user_de and /data/data
66allow zygote tmpfs:{ dir lnk_file } relabelfrom;
67allow zygote system_data_file:{ dir lnk_file } relabelto;
68
69# Zygote opens /mnt/expand to mount CE DE storage on each vol
70allow zygote mnt_expand_file:dir { open read search relabelto };
71
72# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
73allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
74
75# Create and bind dirs on /data/data
76allow zygote tmpfs:dir { create_dir_perms mounton };
77
78# Goes into media directory and bind mount obb directory
79allow zygote media_rw_data_file:dir { getattr search };
80
81# Bind mount on top of existing mounted obb and data directory
82allow zygote media_rw_data_file:dir { mounton };
83
84# Read if sdcardfs is supported
85allow zygote proc_filesystems:file r_file_perms;
86
87# Create symlink for /data/user/0
88allow zygote tmpfs:lnk_file create;
89
90allow zygote mirror_data_file:dir r_dir_perms;
91
92# Get inode of directories for app data isolation
93allow zygote {
94  app_data_file_type
95  system_data_file
96  mnt_expand_file
97}:dir getattr;
98
99# Allow zygote to create JIT memory.
100allow zygote self:process execmem;
101allow zygote zygote_tmpfs:file execute;
102allow zygote ashmem_libcutils_device:chr_file execute;
103
104# Execute idmap and dex2oat within zygote's own domain.
105# TODO:  Should either of these be transitioned to the same domain
106# used by installd or stay in-domain for zygote?
107allow zygote idmap_exec:file rx_file_perms;
108allow zygote dex2oat_exec:file rx_file_perms;
109
110# Allow apps access to /vendor/overlay
111r_dir_file(zygote, vendor_overlay_file)
112
113# Control cgroups.
114allow zygote cgroup:dir create_dir_perms;
115allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
116allow zygote cgroup_v2:dir create_dir_perms;
117allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
118allow zygote self:global_capability_class_set sys_admin;
119
120# Allow zygote to stat the files that it opens. The zygote must
121# be able to inspect them so that it can reopen them on fork
122# if necessary: b/30963384.
123allow zygote pmsg_device:chr_file getattr;
124allow zygote debugfs_trace_marker:file getattr;
125
126# Get seapp_contexts
127allow zygote seapp_contexts_file:file r_file_perms;
128# Check validity of SELinux context before use.
129selinux_check_context(zygote)
130# Check SELinux permissions.
131selinux_check_access(zygote)
132
133# Native bridge functionality requires that zygote replaces
134# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
135allow zygote proc_cpuinfo:file mounton;
136
137# Allow remounting rootfs as MS_SLAVE.
138allow zygote rootfs:dir mounton;
139allow zygote tmpfs:filesystem { mount unmount };
140allow zygote fuse:filesystem { unmount };
141allow zygote sdcardfs:filesystem { unmount };
142
143# Allow creating user-specific storage source if started before vold.
144allow zygote mnt_user_file:dir { create_dir_perms mounton };
145allow zygote mnt_user_file:lnk_file create_file_perms;
146allow zygote mnt_user_file:file create_file_perms;
147
148# Allow mounting user-specific storage source if started before vold.
149allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
150
151# Allowed to mount user-specific storage into place
152allow zygote storage_file:dir { search mounton };
153
154# Allow mounting and creating files, dirs on sdcardfs.
155allow zygote { sdcard_type }:dir { create_dir_perms mounton };
156allow zygote { sdcard_type }:file { create_file_perms };
157
158# Handle --invoke-with command when launching Zygote with a wrapper command.
159allow zygote zygote_exec:file rx_file_perms;
160
161# Allow zygote to write to statsd.
162unix_socket_send(zygote, statsdw, statsd)
163
164# Root fs.
165r_dir_file(zygote, rootfs)
166
167# System file accesses.
168r_dir_file(zygote, system_file)
169
170# /oem accesses.
171allow zygote oemfs:dir search;
172
173userdebug_or_eng(`
174  # Allow zygote to create and write method traces in /data/misc/trace.
175  allow zygote method_trace_data_file:dir w_dir_perms;
176  allow zygote method_trace_data_file:file { create w_file_perms };
177')
178
179allow zygote ion_device:chr_file r_file_perms;
180allow zygote tmpfs:dir r_dir_perms;
181
182allow zygote same_process_hal_file:file { execute read open getattr map };
183
184# Allow the zygote to access storage properties to check if sdcardfs is enabled.
185get_prop(zygote, storage_config_prop);
186
187# Let the zygote access overlays so it can initialize the AssetManager.
188get_prop(zygote, overlay_prop)
189get_prop(zygote, exported_overlay_prop)
190
191# Allow the zygote to access the runtime feature flag properties.
192get_prop(zygote, device_config_runtime_native_prop)
193get_prop(zygote, device_config_runtime_native_boot_prop)
194
195# Allow the zygote to access window manager native boot feature flags
196# to initialize WindowManager static properties.
197get_prop(zygote, device_config_window_manager_native_boot_prop)
198
199# ingore spurious denials
200# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
201# done to determine if the file should inherit setgid. In this case, setgid on the file is
202# undesirable, so suppress the denial.
203dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
204
205# Ignore spurious denials calling access() on fuse.
206# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
207# doesn't exist.
208# TODO(b/151316657): avoid the denials
209dontaudit zygote media_rw_data_file:dir  { read open setattr };
210
211# Allow zygote to use ashmem fds from system_server.
212allow zygote system_server:fd use;
213
214# Send unsolicited message to system_server
215unix_socket_send(zygote, system_unsolzygote, system_server)
216
217# Allow zygote to access media_variant_prop for static initialization
218get_prop(zygote, media_variant_prop)
219
220# Allow zygote to access odsign verification status
221get_prop(zygote, odsign_prop)
222
223# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
224get_prop(zygote, packagemanager_config_prop)
225
226# Allow zygote to read qemu.sf.lcd_density
227get_prop(zygote, qemu_sf_lcd_density_prop)
228
229# Allow zygote to read /apex/apex-info-list.xml
230allow zygote apex_info_file:file r_file_perms;
231
232###
233### neverallow rules
234###
235
236# Ensure that all types assigned to app processes are included
237# in the appdomain attribute, so that all allow and neverallow rules
238# written on appdomain are applied to all app processes.
239# This is achieved by ensuring that it is impossible for zygote to
240# setcon (dyntransition) to any types other than those associated
241# with appdomain plus system_server_startup, webview_zygote and
242# app_zygote.
243neverallow zygote ~{
244  appdomain
245  system_server_startup
246  webview_zygote
247  app_zygote
248}:process dyntransition;
249
250# Zygote should never execute anything from /data except for
251# /data/dalvik-cache files or files generated during on-device
252# signing under /data/misc/apexdata/com.android.art/.
253neverallow zygote {
254  data_file_type
255  -apex_art_data_file # map PROT_EXEC
256  -dalvikcache_data_file # map PROT_EXEC
257}:file no_x_file_perms;
258
259# Do not allow access to Bluetooth-related system properties and files
260neverallow zygote {
261  bluetooth_a2dp_offload_prop
262  bluetooth_audio_hal_prop
263  bluetooth_prop
264  exported_bluetooth_prop
265}:file create_file_perms;
266
267# Zygote should not be able to access app private data.
268neverallow zygote app_data_file_type:dir ~getattr;
269