diff options
Diffstat (limited to 'zygote.te')
-rw-r--r-- | zygote.te | 15 |
1 files changed, 14 insertions, 1 deletions
@@ -53,7 +53,8 @@ allow zygote rootfs:dir mounton; allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M dontaudit zygote self:capability fsetid; # TODO: deprecated in M allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M -allow zygote tmpfs:filesystem mount; # TODO: deprecated in M +allow zygote tmpfs:filesystem { mount unmount }; +allow zygote fuse:filesystem { unmount }; allow zygote labeledfs:filesystem remount; # TODO: deprecated in M # Allowed to create user-specific storage source if started before vold @@ -64,3 +65,15 @@ allow zygote storage_file:dir { search mounton }; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Ensure that all types assigned to app processes are included +# in the appdomain attribute, so that all allow and neverallow rules +# written on appdomain are applied to all app processes. +# This is achieved by ensuring that it is impossible for zygote to +# setcon (dyntransition) to any types other than those associated +# with appdomain plus system_server. +neverallow zygote ~{ appdomain system_server }:process dyntransition; |