| # |
| # Rules to allow the Android CTS to run. |
| # Do not enable in production policy. |
| # |
| |
| bool android_cts false; |
| if (android_cts) { |
| # Reads /proc/pid entries to check that no unexpected root |
| # processes are running. |
| allow appdomain domain:dir r_dir_perms; |
| allow appdomain domain:{ file lnk_file } r_file_perms; |
| |
| # Will still fail when trying to read other app /proc/pid |
| # entries due to MLS constraints. Just silence the denials. |
| dontaudit appdomain appdomain:dir r_dir_perms; |
| dontaudit appdomain appdomain:file r_file_perms; |
| |
| # Walk the file tree, stat any file. |
| allow appdomain file_type:dir r_dir_perms; |
| allow appdomain fs_type:dir r_dir_perms; |
| allow appdomain dev_type:dir r_dir_perms; |
| allow appdomain file_type:dir_file_class_set getattr; |
| allow appdomain dev_type:dir_file_class_set getattr; |
| allow appdomain fs_type:dir_file_class_set getattr; |
| |
| # Execute the shell or other system executables. |
| allow appdomain shell_exec:file rx_file_perms; |
| allow appdomain system_file:file rx_file_perms; |
| |
| # Read routing information. |
| allow netdomain self:netlink_route_socket { create read write nlmsg_read }; |
| |
| # Tries to open /dev/alarm for writing but expects failure. |
| dontaudit appdomain alarm_device:chr_file write; |
| |
| # Tries to create and use a netlink kobject uevent socket |
| # to test for a vulnerable vold. |
| dontaudit appdomain self:netlink_kobject_uevent_socket create; |
| |
| # Tries to override DAC restrictions but expects to fail. |
| dontaudit shell self:capability dac_override; |
| } |