Skip to content
Snippets Groups Projects
Select Git revision
  • nougat-cts-dev
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

app.te

Blame
  • app.te 16.91 KiB
    ###
    ### Domain for all zygote spawned apps
    ###
    ### This file is the base policy for all zygote spawned apps.
    ### Other policy files, such as isolated_app.te, untrusted_app.te, etc
    ### extend from this policy. Only policies which should apply to ALL
    ### zygote spawned apps should be added here.
    ###
    
    # WebView and other application-specific JIT compilers
    allow appdomain self:process execmem;
    
    allow appdomain ashmem_device:chr_file execute;
    
    # Receive and use open file descriptors inherited from zygote.
    allow appdomain zygote:fd use;
    
    # gdbserver for ndk-gdb reads the zygote.
    # valgrind needs mmap exec for zygote
    allow appdomain zygote_exec:file rx_file_perms;
    
    # Read system properties managed by zygote.
    allow appdomain zygote_tmpfs:file read;
    
    # Notify zygote of death;
    allow appdomain zygote:process sigchld;
    
    # Place process into foreground / background
    allow appdomain cgroup:dir { search write };
    allow appdomain cgroup:file rw_file_perms;
    
    # Read /data/dalvik-cache.
    allow appdomain dalvikcache_data_file:dir { search getattr };
    allow appdomain dalvikcache_data_file:file r_file_perms;
    
    # Read the /sdcard and /mnt/sdcard symlinks
    allow appdomain rootfs:lnk_file r_file_perms;
    allow appdomain tmpfs:lnk_file r_file_perms;
    
    # Search /storage/emulated tmpfs mount.
    allow appdomain tmpfs:dir r_dir_perms;
    
    userdebug_or_eng(`
      # Notify zygote of the wrapped process PID when using --invoke-with.
      allow appdomain zygote:fifo_file write;
    
      # Allow apps to create and write method traces in /data/misc/trace.
      allow appdomain method_trace_data_file:dir w_dir_perms;
      allow appdomain method_trace_data_file:file { create w_file_perms };
    ')
    
    # Notify shell and adbd of death when spawned via runas for ndk-gdb.
    allow appdomain shell:process sigchld;
    allow appdomain adbd:process sigchld;
    
    # child shell or gdbserver pty access for runas.
    allow appdomain devpts:chr_file { getattr read write ioctl };
    
    # Use pipes and sockets provided by system_server via binder or local socket.
    allow appdomain system_server:fifo_file rw_file_perms;
    allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
    allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
    
    # Communication with other apps via fifos
    allow appdomain appdomain:fifo_file rw_file_perms;
    
    # Communicate with surfaceflinger.
    allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
    
    # App sandbox file accesses.