PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

zygote: enable SELinux restrictions

Browse Source 
This change enables SELinux security enforcement on zygote
(but not zygote spawned apps).

For the zygote.te file only, this change is equivalent to reverting
the following commits:

* 50e37b93ac
* 77d4731e9d

No other changes were required.

Testing: As much as possible, I've tested that zygote properly
starts up, and that there's no problem spawning zygote or zygote
apps. There were no denials in the kernel dmesg log, and
everything appears to work correctly. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9657732
Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
This commit is contained in:
Nick Kralevich 2013-07-01 12:07:03 -07:00
parent 7914a47f05
commit 6aca515cd3
1 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
zygote.te
View File

@ -2,6 +2,42 @@
type zygote, domain;
type zygote_exec, exec_type, file_type;
permissive zygote;
init_daemon_domain(zygote)
unconfined_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
allow zygote system:process dyntransition;
allow zygote appdomain:process dyntransition;
# Move children into the peer process group.
allow zygote system:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# Execute dexopt.
allow zygote system_file:file x_file_perms;
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(zygote)
# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
dontaudit zygote self:capability fsetid;
allow zygote tmpfs:dir { write create add_name setattr mounton search };
allow zygote tmpfs:filesystem mount;
allow zygote labeledfs:filesystem remount;
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file { execute_no_trans open };