| # |
| # Rules to allow the Android CTS to run. |
| # Do not enable in production policy. |
| # |
| |
| bool android_cts false; |
| if (android_cts) { |
| # For TestDeviceSetup (RootProcessScanner). |
| # Reads /proc/pid/status and statm entries to check that |
| # no unexpected root processes are running. |
| # Also for android.security.cts.VoldExploitTest. |
| # Requires ability to read /proc/pid/cmdline of vold. |
| allow appdomain domain:dir r_dir_perms; |
| allow appdomain domain:{ file lnk_file } r_file_perms; |
| |
| # Will still fail when trying to read other app /proc/pid |
| # entries due to MLS constraints. Just silence the denials. |
| dontaudit appdomain appdomain:dir r_dir_perms; |
| dontaudit appdomain appdomain:file r_file_perms; |
| |
| # For android.permission.cts.FileSystemPermissionTest. |
| # Walk the file tree, stat any file in order to check file permissions. |
| allow appdomain fs_type:dir r_dir_perms; |
| allow appdomain dev_type:dir r_dir_perms; |
| allow appdomain file_type:dir_file_class_set getattr; |
| allow appdomain dev_type:dir_file_class_set getattr; |
| allow appdomain fs_type:dir_file_class_set getattr; |
| |
| # Tries to open /dev/alarm for writing but expects failure. |
| dontaudit appdomain alarm_device:chr_file write; |
| |
| # For android.security.cts.VoldExploitTest. |
| # Tries to create and use a netlink kobject uevent socket |
| # to test for a vulnerable vold. |
| dontaudit appdomain self:netlink_kobject_uevent_socket create; |
| |
| # Tries to override DAC restrictions but expects to fail. |
| dontaudit shell self:capability dac_override; |
| } |
