platform_system_sepolicy/cts.te
2012-01-04 12:33:27 -05:00

42 lines
1.4 KiB
Text

#
# Rules to allow the Android CTS to run.
# Do not enable in production policy.
#
bool android_cts false;
if (android_cts) {
# Reads /proc/pid entries to check that no unexpected root
# processes are running.
allow appdomain domain:dir r_dir_perms;
allow appdomain domain:{ file lnk_file } r_file_perms;
# Will still fail when trying to read other app /proc/pid
# entries due to MLS constraints. Just silence the denials.
dontaudit appdomain appdomain:dir r_dir_perms;
dontaudit appdomain appdomain:file r_file_perms;
# Walk the file tree, stat any file.
allow appdomain file_type:dir r_dir_perms;
allow appdomain fs_type:dir r_dir_perms;
allow appdomain dev_type:dir r_dir_perms;
allow appdomain file_type:dir_file_class_set getattr;
allow appdomain dev_type:dir_file_class_set getattr;
allow appdomain fs_type:dir_file_class_set getattr;
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
# Read routing information.
allow netdomain self:netlink_route_socket { create read write nlmsg_read };
# Tries to open /dev/alarm for writing but expects failure.
dontaudit appdomain alarm_device:chr_file write;
# Tries to create and use a netlink kobject uevent socket
# to test for a vulnerable vold.
dontaudit appdomain self:netlink_kobject_uevent_socket create;
# Tries to override DAC restrictions but expects to fail.
dontaudit shell self:capability dac_override;
}