43 lines
1.4 KiB
Text
43 lines
1.4 KiB
Text
|
#
|
||
|
|
# Rules to allow the Android CTS to run.
|
||
|
|
# Do not enable in production policy.
|
||
|
|
#
|
||
|
|
|
||
|
|
bool android_cts false;
|
||
|
|
if (android_cts) {
|
||
|
|
# Reads /proc/pid entries to check that no unexpected root
|
||
|
|
# processes are running.
|
||
|
|
allow appdomain domain:dir r_dir_perms;
|
||
|
|
allow appdomain domain:{ file lnk_file } r_file_perms;
|
||
|
|
|
||
|
|
# Will still fail when trying to read other app /proc/pid
|
||
|
|
# entries due to MLS constraints. Just silence the denials.
|
||
|
|
dontaudit appdomain appdomain:dir r_dir_perms;
|
||
|
|
dontaudit appdomain appdomain:file r_file_perms;
|
||
|
|
|
||
|
|
# Walk the file tree, stat any file.
|
||
|
|
allow appdomain file_type:dir r_dir_perms;
|
||
|
|
allow appdomain fs_type:dir r_dir_perms;
|
||
|
|
allow appdomain dev_type:dir r_dir_perms;
|
||
|
|
allow appdomain file_type:dir_file_class_set getattr;
|
||
|
|
allow appdomain dev_type:dir_file_class_set getattr;
|
||
|
|
allow appdomain fs_type:dir_file_class_set getattr;
|
||
|
|
|
||
|
|
# Execute the shell or other system executables.
|
||
|
|
allow appdomain shell_exec:file rx_file_perms;
|
||
|
|
allow appdomain system_file:file rx_file_perms;
|
||
|
|
|
||
|
|
# Read routing information.
|
||
|
|
allow netdomain self:netlink_route_socket { create read write nlmsg_read };
|
||
|
|
|
||
|
|
# Tries to open /dev/alarm for writing but expects failure.
|
||
|
|
dontaudit appdomain alarm_device:chr_file write;
|
||
|
|
|
||
|
|
# Tries to create and use a netlink kobject uevent socket
|
||
|
|
# to test for a vulnerable vold.
|
||
|
|
dontaudit appdomain self:netlink_kobject_uevent_socket create;
|
||
|
|
|
||
|
|
# Tries to override DAC restrictions but expects to fail.
|
||
|
|
dontaudit shell self:capability dac_override;
|
||
|
|
}
|