| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # zygote |
| 2 | typeattribute zygote coredomain; |
| 3 | typeattribute zygote mlstrustedsubject; |
| 4 | |
| 5 | init_daemon_domain(zygote) |
| 6 | tmpfs_domain(zygote) |
| 7 | |
| 8 | read_runtime_log_tags(zygote) |
| 9 | |
| 10 | # Override DAC on files and switch uid/gid. |
| 11 | allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown }; |
| 12 | |
| 13 | # Drop capabilities from bounding set. |
| 14 | allow zygote self:global_capability_class_set setpcap; |
| 15 | |
| 16 | # Switch SELinux context to app domains. |
| 17 | allow zygote self:process setcurrent; |
| 18 | allow zygote system_server_startup:process dyntransition; |
| 19 | allow zygote appdomain:process dyntransition; |
| 20 | allow zygote webview_zygote:process dyntransition; |
| 21 | allow zygote app_zygote:process dyntransition; |
| 22 | |
| 23 | # Allow zygote to read app /proc/pid dirs (b/10455872). |
| 24 | allow zygote appdomain:dir { getattr search }; |
| 25 | allow zygote appdomain:file { r_file_perms }; |
| 26 | |
| 27 | userfaultfd_use(zygote) |
| 28 | |
| 29 | # Move children into the peer process group. |
| 30 | allow zygote system_server:process { getpgid setpgid }; |
| 31 | allow zygote appdomain:process { getpgid setpgid }; |
| 32 | allow zygote webview_zygote:process { getpgid setpgid }; |
| 33 | allow zygote app_zygote:process { getpgid setpgid }; |
| 34 | |
| 35 | # Read system data. |
| 36 | allow zygote system_data_file:dir r_dir_perms; |
| 37 | allow zygote system_data_file:file r_file_perms; |
| 38 | |
| 39 | # Write to /data/dalvik-cache. |
| 40 | allow zygote dalvikcache_data_file:dir create_dir_perms; |
| 41 | allow zygote dalvikcache_data_file:file create_file_perms; |
| 42 | |
| 43 | # Create symlinks in /data/dalvik-cache. |
| 44 | allow zygote dalvikcache_data_file:lnk_file create_file_perms; |
| 45 | |
| 46 | # Write to /data/resource-cache. |
| 47 | allow zygote resourcecache_data_file:dir rw_dir_perms; |
| 48 | allow zygote resourcecache_data_file:file create_file_perms; |
| 49 | |
| 50 | # For updateability, the zygote may fetch the current boot |
| 51 | # classpath from the dalvik cache. Integrity of the files |
| 52 | # is ensured by fsverity protection (checked in art_apex_boot_integrity). |
| 53 | allow zygote dalvikcache_data_file:file execute; |
| 54 | |
| 55 | # Allow zygote to find files in APEX data directories. |
| 56 | allow zygote apex_module_data_file:dir search; |
| 57 | |
| 58 | # Allow zygote to find and map files created by on device signing. |
| 59 | allow zygote apex_art_data_file:dir { getattr search }; |
| 60 | allow zygote apex_art_data_file:file { r_file_perms execute }; |
| 61 | |
| 62 | # Bind mount on /data/data and mounted volumes |
| 63 | allow zygote { system_data_file mnt_expand_file }:dir mounton; |
| 64 | |
| 65 | # Relabel /data/user /data/user_de and /data/data |
| 66 | allow zygote tmpfs:{ dir lnk_file } relabelfrom; |
| 67 | allow zygote system_data_file:{ dir lnk_file } relabelto; |
| 68 | |
| 69 | # Zygote opens /mnt/expand to mount CE DE storage on each vol |
| 70 | allow zygote mnt_expand_file:dir { open read search relabelto }; |
| 71 | |
| 72 | # Bind mount subdirectories on /data/misc/profiles/cur |
| 73 | allow zygote user_profile_root_file:dir { mounton search }; |
| 74 | |
| 75 | # Create and bind dirs on /data/data |
| 76 | allow zygote tmpfs:dir { create_dir_perms mounton }; |
| 77 | |
| 78 | # Goes into media directory and bind mount obb directory |
| 79 | allow zygote media_rw_data_file:dir { getattr search }; |
| 80 | |
| 81 | # Bind mount on top of existing mounted obb and data directory |
| 82 | allow zygote media_rw_data_file:dir { mounton }; |
| 83 | |
| 84 | # Read if sdcardfs is supported |
| 85 | allow zygote proc_filesystems:file r_file_perms; |
| 86 | |
| 87 | # Create symlink for /data/user/0 |
| 88 | allow zygote tmpfs:lnk_file create; |
| 89 | |
| 90 | allow zygote mirror_data_file:dir r_dir_perms; |
| 91 | |
| 92 | # Get inode of directories for app data isolation |
| 93 | allow zygote { |
| 94 | app_data_file_type |
| 95 | system_data_file |
| 96 | mnt_expand_file |
| 97 | }:dir getattr; |
| 98 | |
| 99 | # Allow zygote to create JIT memory. |
| 100 | allow zygote self:process execmem; |
| 101 | allow zygote zygote_tmpfs:file execute; |
| 102 | allow zygote ashmem_libcutils_device:chr_file execute; |
| 103 | |
| 104 | # Execute idmap and dex2oat within zygote's own domain. |
| 105 | # TODO: Should either of these be transitioned to the same domain |
| 106 | # used by installd or stay in-domain for zygote? |
| 107 | allow zygote idmap_exec:file rx_file_perms; |
| 108 | allow zygote dex2oat_exec:file rx_file_perms; |
| 109 | |
| 110 | # Allow apps access to /vendor/overlay |
| 111 | r_dir_file(zygote, vendor_overlay_file) |
| 112 | |
| 113 | # Control cgroups. |
| 114 | allow zygote cgroup:dir create_dir_perms; |
| 115 | allow zygote cgroup:{ file lnk_file } r_file_perms; |
| 116 | allow zygote cgroup_v2:dir create_dir_perms; |
| 117 | allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr }; |
| 118 | allow zygote self:global_capability_class_set sys_admin; |
| 119 | |
| 120 | # Allow zygote to stat the files that it opens. The zygote must |
| 121 | # be able to inspect them so that it can reopen them on fork |
| 122 | # if necessary: b/30963384. |
| 123 | allow zygote pmsg_device:chr_file getattr; |
| 124 | allow zygote debugfs_trace_marker:file getattr; |
| 125 | |
| 126 | # Get seapp_contexts |
| 127 | allow zygote seapp_contexts_file:file r_file_perms; |
| 128 | # Check validity of SELinux context before use. |
| 129 | selinux_check_context(zygote) |
| 130 | # Check SELinux permissions. |
| 131 | selinux_check_access(zygote) |
| 132 | |
| 133 | # Native bridge functionality requires that zygote replaces |
| 134 | # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount |
| 135 | allow zygote proc_cpuinfo:file mounton; |
| 136 | |
| 137 | # Allow remounting rootfs as MS_SLAVE. |
| 138 | allow zygote rootfs:dir mounton; |
| 139 | allow zygote tmpfs:filesystem { mount unmount }; |
| 140 | allow zygote fuse:filesystem { unmount }; |
| 141 | allow zygote sdcardfs:filesystem { unmount }; |
| 142 | |
| 143 | # Allow creating user-specific storage source if started before vold. |
| 144 | allow zygote mnt_user_file:dir { create_dir_perms mounton }; |
| 145 | allow zygote mnt_user_file:lnk_file create_file_perms; |
| 146 | allow zygote mnt_user_file:file create_file_perms; |
| 147 | |
| 148 | # Allow mounting user-specific storage source if started before vold. |
| 149 | allow zygote mnt_pass_through_file:dir { create_dir_perms mounton }; |
| 150 | |
| 151 | # Allowed to mount user-specific storage into place |
| 152 | allow zygote storage_file:dir { search mounton }; |
| 153 | |
| 154 | # Allow mounting and creating files, dirs on sdcardfs. |
| 155 | allow zygote { sdcard_type }:dir { create_dir_perms mounton }; |
| 156 | allow zygote { sdcard_type }:file { create_file_perms }; |
| 157 | |
| 158 | # Handle --invoke-with command when launching Zygote with a wrapper command. |
| 159 | allow zygote zygote_exec:file rx_file_perms; |
| 160 | |
| 161 | # Allow zygote to write to statsd. |
| 162 | unix_socket_send(zygote, statsdw, statsd) |
| 163 | |
| 164 | # Root fs. |
| 165 | r_dir_file(zygote, rootfs) |
| 166 | |
| 167 | # System file accesses. |
| 168 | r_dir_file(zygote, system_file) |
| 169 | |
| 170 | # /oem accesses. |
| 171 | allow zygote oemfs:dir search; |
| 172 | |
| 173 | userdebug_or_eng(` |
| 174 | # Allow zygote to create and write method traces in /data/misc/trace. |
| 175 | allow zygote method_trace_data_file:dir w_dir_perms; |
| 176 | allow zygote method_trace_data_file:file { create w_file_perms }; |
| 177 | ') |
| 178 | |
| 179 | allow zygote ion_device:chr_file r_file_perms; |
| 180 | allow zygote tmpfs:dir r_dir_perms; |
| 181 | |
| 182 | allow zygote same_process_hal_file:file { execute read open getattr map }; |
| 183 | |
| 184 | # Allow the zygote to access storage properties to check if sdcardfs is enabled. |
| 185 | get_prop(zygote, storage_config_prop); |
| 186 | |
| 187 | # Let the zygote access overlays so it can initialize the AssetManager. |
| 188 | get_prop(zygote, overlay_prop) |
| 189 | get_prop(zygote, exported_overlay_prop) |
| 190 | |
| 191 | # Allow the zygote to access the runtime feature flag properties. |
| 192 | get_prop(zygote, device_config_runtime_native_prop) |
| 193 | get_prop(zygote, device_config_runtime_native_boot_prop) |
| 194 | |
| 195 | # Allow the zygote to access window manager native boot feature flags |
| 196 | # to initialize WindowManager static properties. |
| 197 | get_prop(zygote, device_config_window_manager_native_boot_prop) |
| 198 | |
| 199 | # ingore spurious denials |
| 200 | # fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is |
| 201 | # done to determine if the file should inherit setgid. In this case, setgid on the file is |
| 202 | # undesirable, so suppress the denial. |
| 203 | dontaudit zygote self:global_capability_class_set { sys_resource fsetid }; |
| 204 | |
| 205 | # Ignore spurious denials calling access() on fuse. |
| 206 | # Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that |
| 207 | # doesn't exist. |
| 208 | # TODO(b/151316657): avoid the denials |
| 209 | dontaudit zygote media_rw_data_file:dir { read open setattr }; |
| 210 | |
| 211 | # Allow zygote to use ashmem fds from system_server. |
| 212 | allow zygote system_server:fd use; |
| 213 | |
| 214 | # Send unsolicited message to system_server |
| 215 | unix_socket_send(zygote, system_unsolzygote, system_server) |
| 216 | |
| 217 | # Allow zygote to access media_variant_prop for static initialization |
| 218 | get_prop(zygote, media_variant_prop) |
| 219 | |
| 220 | # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex |
| 221 | get_prop(zygote, packagemanager_config_prop) |
| 222 | |
| 223 | # Allow zygote to read qemu.sf.lcd_density |
| 224 | get_prop(zygote, qemu_sf_lcd_density_prop) |
| 225 | |
| 226 | # Allow zygote to read /apex/apex-info-list.xml |
| 227 | allow zygote apex_info_file:file r_file_perms; |
| 228 | |
| 229 | ### |
| 230 | ### neverallow rules |
| 231 | ### |
| 232 | |
| 233 | # Ensure that all types assigned to app processes are included |
| 234 | # in the appdomain attribute, so that all allow and neverallow rules |
| 235 | # written on appdomain are applied to all app processes. |
| 236 | # This is achieved by ensuring that it is impossible for zygote to |
| 237 | # setcon (dyntransition) to any types other than those associated |
| 238 | # with appdomain plus system_server_startup, webview_zygote and |
| 239 | # app_zygote. |
| 240 | neverallow zygote ~{ |
| 241 | appdomain |
| 242 | system_server_startup |
| 243 | webview_zygote |
| 244 | app_zygote |
| 245 | }:process dyntransition; |
| 246 | |
| 247 | # Zygote should never execute anything from /data except for |
| 248 | # /data/dalvik-cache files or files generated during on-device |
| 249 | # signing under /data/misc/apexdata/com.android.art/. |
| 250 | neverallow zygote { |
| 251 | data_file_type |
| 252 | -apex_art_data_file # map PROT_EXEC |
| 253 | -dalvikcache_data_file # map PROT_EXEC |
| 254 | }:file no_x_file_perms; |
| 255 | |
| 256 | # Do not allow access to Bluetooth-related system properties and files |
| 257 | neverallow zygote { |
| 258 | bluetooth_a2dp_offload_prop |
| 259 | bluetooth_audio_hal_prop |
| 260 | bluetooth_prop |
| 261 | exported_bluetooth_prop |
| 262 | }:file create_file_perms; |
| 263 | |
| 264 | # Zygote should not be able to access app private data. |
| 265 | neverallow zygote app_data_file_type:dir ~getattr; |