From 6aca515cd3a60653e2243a3044809929aec5cc27 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 1 Jul 2013 12:07:03 -0700 Subject: [PATCH] zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558 --- zygote.te | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/zygote.te b/zygote.te index 4603d75b4..773318ea1 100644 --- a/zygote.te +++ b/zygote.te @@ -2,6 +2,42 @@ type zygote, domain; type zygote_exec, exec_type, file_type; -permissive zygote; init_daemon_domain(zygote) -unconfined_domain(zygote) +typeattribute zygote mlstrustedsubject; +# Override DAC on files and switch uid/gid. +allow zygote self:capability { dac_override setgid setuid }; +# Drop capabilities from bounding set. +allow zygote self:capability setpcap; +# Switch SELinux context to app domains. +allow zygote system:process dyntransition; +allow zygote appdomain:process dyntransition; +# Move children into the peer process group. +allow zygote system:process { getpgid setpgid }; +allow zygote appdomain:process { getpgid setpgid }; +# Write to system data. +allow zygote system_data_file:dir rw_dir_perms; +allow zygote system_data_file:file create_file_perms; +allow zygote dalvikcache_data_file:dir rw_dir_perms; +allow zygote dalvikcache_data_file:file create_file_perms; +# Execute dexopt. +allow zygote system_file:file x_file_perms; +# Control cgroups. +allow zygote cgroup:dir create_dir_perms; +allow zygote self:capability sys_admin; +# Check validity of SELinux context before use. +selinux_check_context(zygote) +# Check SELinux permissions. +selinux_check_access(zygote) +# Read /seapp_contexts and /data/security/seapp_contexts +security_access_policy(zygote) + +# Setting up /storage/emulated. +allow zygote rootfs:dir mounton; +allow zygote sdcard_type:dir { write search setattr create add_name mounton }; +dontaudit zygote self:capability fsetid; +allow zygote tmpfs:dir { write create add_name setattr mounton search }; +allow zygote tmpfs:filesystem mount; +allow zygote labeledfs:filesystem remount; + +# Handle --invoke-with command when launching Zygote with a wrapper command. +allow zygote zygote_exec:file { execute_no_trans open };