Policies have been adjusted for Android 11.

[waydroid.git] / data / configs / android_app

#include <tunables/global>

profile android_app flags=(attach_disconnected, complain, mediate_deleted) {
  #include <abstractions/base>
  /** ix,
  /dev** rw,
  network,
  unix,
  owner /proc** rw,
  / r,
  /* r,
  deny pivot_root,
  deny dbus,
  capability sys_nice,
  capability wake_alarm,
  capability setpcap,
  capability setgid,
  capability setuid,
  capability sys_ptrace,
  capability sys_admin,
  capability wake_alarm,
  capability block_suspend,
  capability sys_time,
  capability net_admin,
  capability net_raw,
  capability net_bind_service,
  capability kill,
  capability dac_override,
  capability chown,
  mount fstype=tmpfs -> /storage**,
  mount fstype=tmpfs -> /data/misc/profiles**,
  mount options in (rw,bind) options in (rw,rbind) -> /storage**,
  mount options in (rw,bind) options in (rw,rbind) -> /data/misc/profiles**,
  mount /dev/fuse -> /storage**,
  mount -> /,
  umount /storage**,

  ptrace (read,readby,trace,tracedby) peer=android_app//&lxc-waydroid,
  ptrace (read,trace,readby,tracedby) peer=lxc-waydroid,
  ptrace (read,trace,readby,tracedby) peer=adbd//&lxc-waydroid,

  signal (send,receive) peer=android_app//&lxc-waydroid,
  signal (receive) peer=adbd//&lxc-waydroid,
  signal (send,receive) peer=lxc-waydroid,
  signal (receive),

  /acct** rwkl,
  /linkerconfig** r,
  owner /data** rwkl,
  /data/app** r,
  /data/system/unsolzygotesocket rw,
  /data/dalvik-cache** r,
  /data/misc** r,
  /data/lineageos_updates** r,
  /apex** mr,
  /data/system_ce/** rw,
  /data/data/com.android** rw,
  /data/misc/profiles** rw,
  /data/user_de/** rw,
  /storage** rwkl,
  /data/tombstone** rw,
  /mnt/user** rw,
  owner /proc** rw,
  /proc** r,
  /proc/*/timerslack_ns w,
  /system/bin** mr,
  /system/lib** mr,
  /system** r,
  /sys** r,
  /sys/kernel/debug/tracing** w,
  /vendor** r,
  /vendor_extra** r,

# This seems to be important for Magisk to function
#  /system/framework** wk,

  
}