1typeattribute app_zygote coredomain;
2
3######
4###### Policy below is different from regular zygote-spawned apps
5######
6
7# The app_zygote needs to be able to transition domains.
8typeattribute app_zygote mlstrustedsubject;
9
10# Allow access to temporary files, which is normally permitted through
11# a domain macro.
12tmpfs_domain(app_zygote);
13
14# Set the UID/GID of the process.
15# This will be further limited to a range of isolated UIDs with seccomp.
16allow app_zygote self:global_capability_class_set { setgid setuid };
17# Drop capabilities from bounding set.
18allow app_zygote self:global_capability_class_set setpcap;
19# Switch SELinux context to isolated app domain.
20allow app_zygote self:process setcurrent;
21allow app_zygote isolated_app:process dyntransition;
22
23# For JIT
24allow app_zygote self:process execmem;
25
26# Allow app_zygote to stat the files that it opens. It must
27# be able to inspect them so that it can reopen them on fork
28# if necessary: b/30963384.
29allow app_zygote debugfs_trace_marker:file getattr;
30
31# get system_server process group
32allow app_zygote system_server:process getpgid;
33
34# Interaction between the app_zygote and its children.
35allow app_zygote isolated_app:process setpgid;
36
37# TODO (b/63631799) fix this access
38dontaudit app_zygote mnt_expand_file:dir getattr;
39
40# Get seapp_contexts
41allow app_zygote seapp_contexts_file:file r_file_perms;
42# Check validity of SELinux context before use.
43selinux_check_context(app_zygote)
44# Check SELinux permissions.
45selinux_check_access(app_zygote)
46
47######
48###### Policy below is shared with regular zygote-spawned apps
49######
50
51# Child of zygote.
52allow app_zygote zygote:fd use;
53allow app_zygote zygote:process sigchld;
54
55# For ART (read /data/dalvik-cache).
56r_dir_file(app_zygote, dalvikcache_data_file);
57allow app_zygote dalvikcache_data_file:file execute;
58
59# Allow reading/executing installed binaries to enable preloading
60# application data
61allow app_zygote apk_data_file:dir r_dir_perms;
62allow app_zygote apk_data_file:file { r_file_perms execute };
63
64# Allow app_zygote access to /vendor/overlay
65r_dir_file(app_zygote, vendor_overlay_file)
66
67allow app_zygote system_data_file:lnk_file r_file_perms;
68allow app_zygote system_data_file:file { getattr read map };
69
70#####
71##### Neverallow
72#####
73
74# Only permit transition to isolated_app.
75neverallow app_zygote { domain -isolated_app }:process dyntransition;
76
77# Only setcon() transitions, no exec() based transitions, except for crash_dump.
78neverallow app_zygote { domain -crash_dump }:process transition;
79
80# Must not exec() a program without changing domains.
81# Having said that, exec() above is not allowed.
82neverallow app_zygote *:file execute_no_trans;
83
84# The only way to enter this domain is for the zygote to fork a new
85# app_zygote child.
86neverallow { domain -zygote } app_zygote:process dyntransition;
87
88# Disallow write access to properties.
89neverallow app_zygote property_socket:sock_file write;
90neverallow app_zygote property_type:property_service set;
91
92# Should not have any access to non-app data files.
93neverallow app_zygote {
94    bluetooth_data_file
95    nfc_data_file
96    radio_data_file
97    shell_data_file
98}:file { rwx_file_perms };
99
100neverallow app_zygote {
101    service_manager_type
102    -activity_service
103    -ashmem_device_service
104    -webviewupdate_service
105}:service_manager find;
106
107# Isolated apps should not be able to access the driver directly.
108neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
109
110# Do not allow app_zygote access to /cache.
111neverallow app_zygote cache_file:dir ~{ r_dir_perms };
112neverallow app_zygote cache_file:file ~{ read getattr };
113
114# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
115# unix_stream_socket, and netlink_selinux_socket.
116neverallow app_zygote domain:{
117  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
118  appletalk_socket netlink_route_socket netlink_tcpdiag_socket
119  netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
120  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
121  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
122  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
123  sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
124  x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
125  pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
126  rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
127  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
128} *;
129
130# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
131# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
132# Think twice before changing.
133neverallow app_zygote {
134  domain
135  -app_zygote
136  -logd
137  userdebug_or_eng(`-su')
138  userdebug_or_eng(`-heapprofd')
139}:unix_dgram_socket *;
140
141neverallow app_zygote {
142  domain
143  -app_zygote
144  userdebug_or_eng(`-su')
145  userdebug_or_eng(`-heapprofd')
146}:unix_stream_socket *;
147
148# Never allow ptrace
149neverallow app_zygote *:process ptrace;
150
151# Do not allow access to Bluetooth-related system properties.
152# neverallow rules for Bluetooth-related data files are listed above.
153neverallow app_zygote {
154  bluetooth_a2dp_offload_prop
155  bluetooth_audio_hal_prop
156  bluetooth_prop
157  exported_bluetooth_prop
158}:file create_file_perms;
159