Merge "Install dEQP OnDevice package explicitly in DeqpTestRunner." into lmp-dev
diff --git a/CtsTestCaseList.mk b/CtsTestCaseList.mk
index a08c34f..bd906f6 100644
--- a/CtsTestCaseList.mk
+++ b/CtsTestCaseList.mk
@@ -34,16 +34,16 @@
CtsAppTestStubs \
CtsDeviceAdmin \
CtsDeviceOpenGl \
+ CtsDeviceOwnerApp \
CtsDeviceTaskswitchingAppA \
CtsDeviceTaskswitchingAppB \
CtsDeviceTaskswitchingControl \
CtsDeviceUi \
+ CtsManagedProfileApp \
CtsMonkeyApp \
CtsMonkeyApp2 \
- CtsProfileOwnerApp \
CtsSomeAccessibilityServices \
CtsThemeDeviceApp \
- SignatureTest \
TestDeviceSetup \
CtsUiAutomatorApp \
CtsUsbSerialTestApp \
@@ -113,6 +113,7 @@
CtsRsCppTestCases \
CtsSaxTestCases \
CtsSecurityTestCases \
+ CtsSignatureTestCases \
CtsSpeechTestCases \
CtsTelephonyTestCases \
CtsTextTestCases \
diff --git a/apps/CtsVerifier/AndroidManifest.xml b/apps/CtsVerifier/AndroidManifest.xml
index 3bb9a01..27439f0 100644
--- a/apps/CtsVerifier/AndroidManifest.xml
+++ b/apps/CtsVerifier/AndroidManifest.xml
@@ -728,18 +728,6 @@
</intent-filter>
</receiver>
- <activity android:name=".sensors.AccelerometerTestActivity"
- android:label="@string/snsr_accel_test"
- android:screenOrientation="nosensor">
- <intent-filter>
- <action android:name="android.intent.action.MAIN" />
- <category android:name="android.cts.intent.category.MANUAL_TEST" />
- </intent-filter>
- <meta-data android:name="test_category" android:value="@string/test_category_sensors" />
- <meta-data android:name="test_required_features"
- android:value="android.hardware.sensor.accelerometer" />
- </activity>
-
<activity android:name=".sensors.AccelerometerMeasurementTestActivity"
android:label="@string/snsr_accel_m_test"
android:screenOrientation="locked">
@@ -752,17 +740,6 @@
android:value="android.hardware.sensor.accelerometer"/>
</activity>
- <activity android:name=".sensors.GyroscopeTestActivity" android:label="@string/snsr_gyro_test"
- android:screenOrientation="nosensor">
- <intent-filter>
- <action android:name="android.intent.action.MAIN" />
- <category android:name="android.cts.intent.category.MANUAL_TEST" />
- </intent-filter>
- <meta-data android:name="test_category" android:value="@string/test_category_sensors" />
- <meta-data android:name="test_required_features"
- android:value="android.hardware.sensor.gyroscope" />
- </activity>
-
<activity android:name=".sensors.GyroscopeMeasurementTestActivity"
android:label="@string/snsr_gyro_m_test"
android:screenOrientation="locked">
@@ -811,7 +788,8 @@
android:value="android.hardware.sensor.accelerometer" />
</activity>
- <activity android:name=".sensors.RotationVectorTestActivity"
+ <!-- TODO: enable when a full set of verifications can be implemented -->
+ <!--activity android:name=".sensors.RotationVectorTestActivity"
android:label="@string/snsr_rot_vec_test"
android:screenOrientation="locked">
<intent-filter>
@@ -821,7 +799,7 @@
<meta-data android:name="test_category" android:value="@string/test_category_sensors" />
<meta-data android:name="test_required_features"
android:value="android.hardware.sensor.gyroscope" />
- </activity>
+ </activity-->
<activity android:name=".sensors.BatchingTestActivity"
android:label="@string/snsr_batch_test"
@@ -835,7 +813,7 @@
android:value="android.hardware.sensor.accelerometer" />
</activity>
- <!-- TODO: enable test when a more reliable way to identify time synchronization is available -->
+ <!-- TODO: enable when a more reliable way to identify time synchronization is available -->
<!--activity android:name=".sensors.SensorSynchronizationTestActivity"
android:label="@string/snsr_synch_test"
android:screenOrientation="locked">
diff --git a/apps/CtsVerifier/proguard.flags b/apps/CtsVerifier/proguard.flags
index be17d8b..ca4680f 100644
--- a/apps/CtsVerifier/proguard.flags
+++ b/apps/CtsVerifier/proguard.flags
@@ -10,6 +10,9 @@
-keepclassmembers class * extends com.android.cts.verifier.sensors.base.BaseSensorTestActivity {
public <methods>;
}
+-keepclassmembers class * extends android.hardware.cts.SensorTestCase {
+ public <methods>;
+}
-keepclasseswithmembers class * extends com.android.cts.verifier.location.LocationModeTestActivity
diff --git a/apps/CtsVerifier/res/values/strings.xml b/apps/CtsVerifier/res/values/strings.xml
index b233a4e..38e0ced 100644
--- a/apps/CtsVerifier/res/values/strings.xml
+++ b/apps/CtsVerifier/res/values/strings.xml
@@ -493,6 +493,8 @@
<string name="snsr_setting_location_mode">Location</string>
<string name="snsr_setting_auto_screen_off_mode">Display Sleep</string>
<string name="snsr_pass_on_error">Pass Anyway</string>
+ <string name="snsr_run_automated_tests">The screen will be turned off to execute the tests,
+ when tests complete, the device will vibrate and the screen will be turned back on.</string>
<!-- Accelerometer -->
<string name="snsr_accel_test">Accelerometer Test</string>
@@ -502,14 +504,14 @@
facing the ceiling.</string>
<string name="snsr_accel_test_face_down">Place the device on a flat surface with the screen
facing it.</string>
- <string name="snsr_accel_test_right_side">Place the device resting vertically on its right
- side.</string>
- <string name="snsr_accel_test_left_side">Place the device resting vertically on its left
- side.</string>
- <string name="snsr_accel_test_top_side">Place the device resting vertically on its top
- side.</string>
- <string name="snsr_accel_test_bottom_side">Place the device resting vertically on its bottom
- side.</string>
+ <string name="snsr_accel_test_right_side">Place the device in a flat surface resting vertically
+ on its right side.</string>
+ <string name="snsr_accel_test_left_side">Place the device in a flat surface resting vertically
+ on its left side.</string>
+ <string name="snsr_accel_test_top_side">Place the device in a flat surface resting vertically
+ on its top side.</string>
+ <string name="snsr_accel_test_bottom_side">Place the device in a flat surface resting vertically
+ on its bottom side.</string>
<!-- Gyroscope -->
<string name="snsr_gyro_test">Gyroscope Test</string>
@@ -556,7 +558,8 @@
<!-- Sensor Batching -->
<string name="snsr_batch_test">Sensor Batching Tests</string>
- <string name="snsr_batching_walking_needed">Once the test begins, you will have to walk.</string>
+ <string name="snsr_batching_walking_needed">Once the test begins, you will have to take the
+ device in your hand and walk.</string>
<string name="snsr_batching_fifo_count">FifoReservedEventCount=%1$d. Expected to be at most FifoMaxEventCount=%2$d.</string>
<!-- Sensor Synchronization -->
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerMeasurementTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerMeasurementTestActivity.java
index 945e9ab..dfcf120 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerMeasurementTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerMeasurementTestActivity.java
@@ -107,10 +107,11 @@
private String delayedVerifyMeasurements(int descriptionResId, float ... expectations)
throws Throwable {
- appendText(descriptionResId);
- appendText(R.string.snsr_test_play_sound);
- waitForUser();
- Thread.sleep(TimeUnit.MILLISECONDS.convert(10, TimeUnit.SECONDS));
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(descriptionResId);
+ logger.logWaitForSound();
+ waitForUserToBegin();
+ Thread.sleep(TimeUnit.MILLISECONDS.convert(7, TimeUnit.SECONDS));
try {
return verifyMeasurements(expectations);
@@ -121,9 +122,10 @@
private String verifyMeasurements(int descriptionResId, float ... expectations)
throws Throwable {
- appendText(descriptionResId);
- appendText(R.string.snsr_device_steady);
- waitForUser();
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(descriptionResId);
+ logger.logInstructions(R.string.snsr_device_steady);
+ waitForUserToBegin();
return verifyMeasurements(expectations);
}
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerTestActivity.java
index 597f5fb..0d4f755 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/AccelerometerTestActivity.java
@@ -31,7 +31,10 @@
* CTS Verifier case for verifying correct integration of accelerometer.
* Displays a wedge using OpenGL that, on a correctly-integrated device, always
* points down.
+ *
+ * @deprecated It has been replaced by {@link AccelerometerMeasurementTestActivity}
*/
+@Deprecated
public class AccelerometerTestActivity extends PassFailButtons.Activity {
private GLSurfaceView mGLSurfaceView;
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/GyroscopeTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/GyroscopeTestActivity.java
index 7a7a7f5..f886e75 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/GyroscopeTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/GyroscopeTestActivity.java
@@ -36,7 +36,10 @@
* Manual test for testing the gyroscope sensor. This test consists of 6 steps for all the
* different ways to rotate the device along the x, y, and z axis. It also raises a warning
* if the values seem to high and may be degrees.
+ *
+ * @deprecated It has been replaced by {@link GyroscopeMeasurementTestActivity}
*/
+@Deprecated
public class GyroscopeTestActivity extends PassFailButtons.Activity {
private static final int NUM_STAGES = 6;
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorSynchronizationTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorSynchronizationTestActivity.java
index eeb4bf0..b5ffc2a 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorSynchronizationTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorSynchronizationTestActivity.java
@@ -1,7 +1,7 @@
package com.android.cts.verifier.sensors;
-import com.android.cts.verifier.sensors.base.BaseSensorSemiAutomatedTestActivity;
+import com.android.cts.verifier.sensors.base.SensorCtsVerifierTestActivity;
import junit.framework.Assert;
@@ -25,8 +25,11 @@
*/
@TargetApi(Build.VERSION_CODES.JELLY_BEAN_MR1)
public class SensorSynchronizationTestActivity
- extends BaseSensorSemiAutomatedTestActivity
+ extends SensorCtsVerifierTestActivity
implements SensorEventListener {
+ public SensorSynchronizationTestActivity() {
+ super(SensorSynchronizationTestActivity.class);
+ }
private final double NANOS_PER_MILLI = 1e6;
private final int DATA_COLLECTION_TIME_IN_MS = 5000;
@@ -132,7 +135,7 @@
Assert.assertTrue("Gyroscope did not detect any movement", gyrMovementDetected);
}
- private void executeCrossSensorTest() throws Throwable {
+ public String testCrossSensorSynchronization() throws Throwable {
appendText("This test provides a rough indication of cross-sensor timestamp synchronization.");
appendText("Hold device still in hand and click 'Next'");
waitForUser();
@@ -144,6 +147,7 @@
stopDataCollection();
analyzeData();
+ return null;
}
protected double angleBetweenVecsDegrees(float[] vec1, float[] vec2) {
@@ -156,11 +160,6 @@
}
@Override
- protected void onRun() throws Throwable {
- executeCrossSensorTest();
- }
-
- @Override
public void onSensorChanged(SensorEvent sensorEvent) {
mSensorEvents.add(new TestSensorEvent(sensorEvent, SystemClock.elapsedRealtimeNanos()));
}
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorValueAccuracyActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorValueAccuracyActivity.java
index b720ffb..b6d7cd6 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorValueAccuracyActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SensorValueAccuracyActivity.java
@@ -96,7 +96,7 @@
}
public String testGyroscopeCalibratedUncalibrated() throws Throwable {
- appendText(R.string.snsr_keep_device_rotating_clockwise);
+ getTestLogger().logInstructions(R.string.snsr_keep_device_rotating_clockwise);
return verifyCalibratedUncalibrated(
Sensor.TYPE_GYROSCOPE,
Sensor.TYPE_GYROSCOPE_UNCALIBRATED,
@@ -113,8 +113,8 @@
int instructionsResId,
float expectedNorm,
float threshold) {
- appendText(instructionsResId);
- waitForUser();
+ getTestLogger().logInstructions(instructionsResId);
+ waitForUserToBegin();
TestSensorEnvironment environment =
new TestSensorEnvironment(getApplicationContext(), sensorType, SENSOR_RATE);
@@ -151,8 +151,9 @@
int calibratedSensorType,
int uncalibratedSensorType,
float threshold) throws Throwable {
- appendText(R.string.snsr_no_interaction);
- waitForUser();
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(R.string.snsr_no_interaction);
+ waitForUserToBegin();
Sensor calibratedSensor = mSensorManager.getDefaultSensor(calibratedSensorType);
if (calibratedSensor == null) {
@@ -167,7 +168,7 @@
final long timeout = TimeUnit.SECONDS.toMillis(10);
startDataCollection(calibratedSensor);
startDataCollection(uncalibratedSensor);
- appendText(R.string.snsr_test_play_sound);
+ logger.logWaitForSound();
Thread.sleep(timeout);
stopDataCollection();
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SignificantMotionTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SignificantMotionTestActivity.java
index fbc56c2..a84a045 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SignificantMotionTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/SignificantMotionTestActivity.java
@@ -67,7 +67,7 @@
false /* vibrate */);
}
- public String testNotTriggerAfterCancell() throws Throwable {
+ public String testNotTriggerAfterCancel() throws Throwable {
return runTest(
R.string.snsr_significant_motion_test_cancel,
false /* isMotionExpected */,
@@ -107,12 +107,13 @@
}
public String testTriggerDeactivation() throws Throwable {
- appendText(R.string.snsr_significant_motion_test_deactivation);
- waitForUser();
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(R.string.snsr_significant_motion_test_deactivation);
+ waitForUserToBegin();
TriggerVerifier verifier = new TriggerVerifier();
mSensorManager.requestTriggerSensor(verifier, mSensorSignificantMotion);
- appendText(R.string.snsr_test_play_sound);
+ logger.logWaitForSound();
// wait for the first event to trigger
verifier.verifyEventTriggered();
@@ -137,8 +138,9 @@
boolean isMotionExpected,
boolean cancelEventNotification,
boolean vibrate) throws Throwable {
- appendText(instructionsResId);
- waitForUser();
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(instructionsResId);
+ waitForUserToBegin();
if (vibrate) {
vibrate(VIBRATE_DURATION_MILLIS);
@@ -154,7 +156,7 @@
getString(R.string.snsr_significant_motion_cancelation),
mSensorManager.cancelTriggerSensor(verifier, mSensorSignificantMotion));
}
- appendText(R.string.snsr_test_play_sound);
+ logger.logWaitForSound();
String result;
try {
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/StepCounterTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/StepCounterTestActivity.java
index e3e934c..76d12d9 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/StepCounterTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/StepCounterTestActivity.java
@@ -139,7 +139,7 @@
vibrate(VIBRATE_PATTERN);
}
startMeasurements();
- appendText(R.string.snsr_test_play_sound);
+ getTestLogger().logWaitForSound();
Thread.sleep(TimeUnit.SECONDS.toMillis(TEST_DURATION_SECONDS));
mCheckForMotion = false;
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorSemiAutomatedTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorSemiAutomatedTestActivity.java
deleted file mode 100644
index 9f2f5c4..0000000
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorSemiAutomatedTestActivity.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2013 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.cts.verifier.sensors.base;
-
-import com.android.cts.verifier.sensors.reporting.SensorTestDetails;
-
-import android.hardware.cts.helpers.SensorTestStateNotSupportedException;
-
-/**
- * Base class to author a single Sensor semi-automated test case.
- *
- * @deprecated use {@link BaseSensorTestActivity} instead.
- */
-@Deprecated
-public abstract class BaseSensorSemiAutomatedTestActivity extends BaseSensorTestActivity {
- public BaseSensorSemiAutomatedTestActivity() {
- super(BaseSensorSemiAutomatedTestActivity.class);
- }
-
- @Override
- public SensorTestDetails executeTests() {
- String summary = "";
- SensorTestDetails.ResultCode resultCode = SensorTestDetails.ResultCode.PASS;
- try {
- onRun();
- } catch(SensorTestStateNotSupportedException e) {
- // the sensor state is not supported in the device, log a warning and skip the test
- resultCode = SensorTestDetails.ResultCode.SKIPPED;
- summary = e.getMessage();
- } catch(Throwable e) {
- resultCode = SensorTestDetails.ResultCode.FAIL;
- summary = e.getMessage();
- }
- return new SensorTestDetails(getTestClassName(), resultCode, summary);
- }
-
- /**
- * This is the method that subclasses will implement to define the operations that need to be
- * verified.
- * Any exception thrown will cause the test to fail, additionally mAssert can be used to verify
- * the tests state.
- *
- * throws Throwable
- */
- @Deprecated
- protected abstract void onRun() throws Throwable;
-}
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java
index 2ee1d7d..068869f 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java
@@ -167,60 +167,44 @@
*/
@Override
public void run() {
- SensorTestDetails testDetails = null;
+ String testName = getTestClassName();
- try {
- mSensorFeaturesDeactivator.requestDeactivationOfFeatures();
- activitySetUp();
- } catch (SensorTestStateNotSupportedException e) {
- testDetails = new SensorTestDetails(
- getTestClassName(),
- SensorTestDetails.ResultCode.SKIPPED,
- e.getMessage());
- } catch (Throwable e) {
- testDetails = new SensorTestDetails(
- getTestClassName(),
- SensorTestDetails.ResultCode.FAIL,
- "[ActivitySetUp] " + e.getMessage());
- }
-
- // TODO: implement execution filters:
- // - execute all tests and report results officially
- // - execute single tests or failed tests only
- if (testDetails == null) {
- testDetails = executeTests();
- }
-
- try {
- activityCleanUp();
- mSensorFeaturesDeactivator.requestToRestoreFeatures();
- } catch (Throwable e) {
- testDetails = new SensorTestDetails(
- getTestClassName(),
- SensorTestDetails.ResultCode.FAIL,
- "[ActivityCleanUp] " + e.getMessage());
+ // guarantee the proper clean up of tests based on the operations that successfully ran
+ SensorTestDetails testDetails = deactivateSensorFeatures();
+ if (testDetails.getResultCode() == SensorTestDetails.ResultCode.PASS) {
+ // sensor features
+ testDetails = executeActivitySetUp();
+ if (testDetails.getResultCode() == SensorTestDetails.ResultCode.PASS) {
+ // activity set up
+ // TODO: implement execution filters:
+ // - execute all tests and report results officially
+ // - execute single test or failed tests only
+ testDetails = executeTests();
+ try {
+ activityCleanUp();
+ } catch (Throwable e) {
+ testDetails = new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.FAIL,
+ "[ActivityCleanUp] " + e.getMessage());
+ }
+ // end activity set up
+ }
+ try {
+ mSensorFeaturesDeactivator.requestToRestoreFeatures();
+ } catch (Throwable e) {
+ testDetails = new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.FAIL,
+ "[RestoreSensorFeatures] " + e.getMessage());
+ }
+ // end sensor features
}
mTestLogger.logTestDetails(testDetails);
// because we cannot enforce test failures in several devices, set the test UI so the
// operator can report the result of the test
- if (testDetails.getResultCode() == SensorTestDetails.ResultCode.FAIL) {
- mTestLogger.logInstructions(R.string.snsr_test_complete_with_errors);
- enableTestResultButton(
- mPassButton,
- R.string.snsr_pass_on_error,
- testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.PASS));
- enableTestResultButton(
- mFailButton,
- R.string.fail_button_text,
- testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.FAIL));
- } else {
- mTestLogger.logInstructions(R.string.snsr_test_complete);
- enableTestResultButton(
- mPassButton,
- R.string.pass_button_text,
- testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.PASS));
- }
+ promptUserToSetResult(testDetails);
}
/**
@@ -253,11 +237,6 @@
}
@Deprecated
- protected void appendText(int resId, int textColor) {
- mTestLogger.logInstructions(resId);
- }
-
- @Deprecated
protected void appendText(String text, int textColor) {
appendText(text);
}
@@ -438,6 +417,63 @@
}
}
+ private SensorTestDetails deactivateSensorFeatures() {
+ String testName = getTestClassName();
+ try {
+ mSensorFeaturesDeactivator.requestDeactivationOfFeatures();
+ } catch (Throwable e) {
+ return new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.FAIL,
+ "[DeactivateSensorFeatures] " + e.getMessage());
+ }
+ return new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.PASS,
+ null /* summary */);
+ }
+
+ private SensorTestDetails executeActivitySetUp() {
+ String testName = getTestClassName();
+ try {
+ activitySetUp();
+ } catch (SensorTestStateNotSupportedException e) {
+ return new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.SKIPPED,
+ e.getMessage());
+ } catch (Throwable e) {
+ return new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.FAIL,
+ "[ActivitySetUp] " + e.getMessage());
+ }
+ return new SensorTestDetails(
+ testName,
+ SensorTestDetails.ResultCode.PASS,
+ null /* summary */);
+ }
+
+ private void promptUserToSetResult(SensorTestDetails testDetails) {
+ if (testDetails.getResultCode() == SensorTestDetails.ResultCode.FAIL) {
+ mTestLogger.logInstructions(R.string.snsr_test_complete_with_errors);
+ enableTestResultButton(
+ mPassButton,
+ R.string.snsr_pass_on_error,
+ testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.PASS));
+ enableTestResultButton(
+ mFailButton,
+ R.string.fail_button_text,
+ testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.FAIL));
+ } else {
+ mTestLogger.logInstructions(R.string.snsr_test_complete);
+ enableTestResultButton(
+ mPassButton,
+ R.string.pass_button_text,
+ testDetails.cloneAndChangeResultCode(SensorTestDetails.ResultCode.PASS));
+ }
+ }
+
private void updateNextButton(final boolean enabled) {
runOnUiThread(new Runnable() {
@Override
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/SensorCtsTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/SensorCtsTestActivity.java
index 4d2813c..77f3a41 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/SensorCtsTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/SensorCtsTestActivity.java
@@ -18,6 +18,7 @@
package com.android.cts.verifier.sensors.base;
import com.android.cts.verifier.R;
+import com.android.cts.verifier.sensors.helpers.SensorTestScreenManipulator;
import com.android.cts.verifier.sensors.reporting.SensorTestDetails;
import junit.framework.Test;
@@ -36,7 +37,11 @@
import org.junit.runners.model.InitializationError;
import org.junit.runners.model.RunnerBuilder;
+import android.app.KeyguardManager;
+import android.content.Context;
import android.hardware.cts.SensorTestCase;
+import android.os.PowerManager;
+import android.view.WindowManager;
import java.util.concurrent.TimeUnit;
@@ -49,6 +54,9 @@
*/
public abstract class SensorCtsTestActivity extends BaseSensorTestActivity {
+ private SensorTestScreenManipulator mScreenManipulator;
+ private PowerManager.WakeLock mWakeLock;
+
/**
* Constructor for a CTS test executor. It will execute a standalone CTS test class.
*
@@ -60,8 +68,33 @@
@Override
protected void activitySetUp() {
- getTestLogger().logInstructions(R.string.snsr_no_interaction);
+ mScreenManipulator = new SensorTestScreenManipulator(getApplicationContext());
+ mScreenManipulator.initialize(this);
+ PowerManager powerManager = (PowerManager) getSystemService(Context.POWER_SERVICE);
+ mWakeLock = powerManager.newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, "SensorCtsTests");
+
+ SensorTestLogger logger = getTestLogger();
+ logger.logInstructions(R.string.snsr_no_interaction);
+ logger.logInstructions(R.string.snsr_run_automated_tests);
waitForUserToBegin();
+
+ // automated CTS tests run with the USB connected, so the AP doesn't go to sleep
+ // here we are not connected to USB, so we need to hold a wake-lock to avoid going to sleep
+ mWakeLock.acquire();
+ mScreenManipulator.turnScreenOff();
+ }
+
+ @Override
+ protected void activityCleanUp() {
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_DISMISS_KEYGUARD);
+ mScreenManipulator.turnScreenOn();
+ mWakeLock.release();
+ }
+
+ @Override
+ protected void onDestroy() {
+ super.onDestroy();
+ mScreenManipulator.releaseScreenOn();
}
/**
@@ -150,7 +183,6 @@
if (!mCurrentTestReported) {
getTestLogger().logTestPass(description.getMethodName(), null /* testSummary */);
}
- playSound();
}
public void testFailure(Failure failure) throws Exception {
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/helpers/SensorTestScreenManipulator.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/helpers/SensorTestScreenManipulator.java
index 8986cd9..bfe2ba7 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/helpers/SensorTestScreenManipulator.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/helpers/SensorTestScreenManipulator.java
@@ -27,25 +27,55 @@
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
+import android.os.PowerManager;
import android.text.TextUtils;
/**
* A class that provides functionality to manipulate the state of the device's screen.
+ *
+ * The implementation uses a simple state machine with 3 states: keep-screen-off, keep-screen-on,
+ * and a free-state where the class does not affect the system's state.
+ *
+ * The list of transitions and their handlers are:
+ * keep-screen-on --(turnScreenOff)--> keep-screen-off
+ * keep-screen-on --(releaseScreenOn)--> free-state
+ *
+ * keep-screen-off --(turnScreenOn)--> keep-screen-on
+ * keep-screen-off --(wakeUpScreen)--> free-state
+ *
+ * free-state --(turnScreenOff)--> keep-screen-off
+ * free-state --(turnScreenOn)--> keep-screen-on
+ *
+ * NOTES:
+ * - the operator still can turn on/off the screen by pressing the power button
+ * - this class must be used by a single client, that can manage the state of the instance, likely
+ * - in a single-threaded environment
*/
public class SensorTestScreenManipulator {
private final Context mContext;
private final DevicePolicyManager mDevicePolicyManager;
private final ComponentName mComponentName;
+ private final PowerManager.WakeLock mWakeUpScreenWakeLock;
+ private final PowerManager.WakeLock mKeepScreenWakeLock;
- private volatile InternalBroadcastReceiver mBroadcastReceiver;
- private volatile boolean mTurnOffScreenOnPowerDisconnected;
+ private InternalBroadcastReceiver mBroadcastReceiver;
+ private boolean mTurnOffScreenOnPowerDisconnected;
public SensorTestScreenManipulator(Context context) {
mContext = context;
mComponentName = SensorDeviceAdminReceiver.getComponentName(context);
mDevicePolicyManager =
(DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
+
+ int levelAndFlags = PowerManager.FULL_WAKE_LOCK
+ | PowerManager.ON_AFTER_RELEASE
+ | PowerManager.ACQUIRE_CAUSES_WAKEUP;
+ PowerManager powerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
+ mWakeUpScreenWakeLock = powerManager.newWakeLock(levelAndFlags, "SensorTestWakeUpScreen");
+ mWakeUpScreenWakeLock.setReferenceCounted(false);
+ mKeepScreenWakeLock = powerManager.newWakeLock(levelAndFlags, "SensorTestKeepScreenOn");
+ mWakeUpScreenWakeLock.setReferenceCounted(false);
}
/**
@@ -90,10 +120,48 @@
*/
public synchronized void turnScreenOff() {
ensureDeviceAdminInitialized();
+ releaseScreenOn();
mDevicePolicyManager.lockNow();
}
/**
+ * Instruct the device to wake up the screen immediately, the screen will remain on for a bit,
+ * but the system might turn the screen off in the near future.
+ */
+ public synchronized void wakeUpScreen() {
+ mWakeUpScreenWakeLock.acquire();
+ // release right away, the screen still remains on for a bit, but not indefinitely
+ mWakeUpScreenWakeLock.release();
+ }
+
+ /**
+ * Instructs the device to turn on the screen immediately.
+ *
+ * The screen will remain on until the client invokes {@link #releaseScreenOn()}, or the user
+ * presses the device's power button.
+ */
+ public synchronized void turnScreenOn() {
+ if (mKeepScreenWakeLock.isHeld()) {
+ // recover from cases when we could get out of sync, this can happen because the user
+ // can press the power button, and other wake-locks can prevent intents to be received
+ mKeepScreenWakeLock.release();
+ }
+ mKeepScreenWakeLock.acquire();
+ }
+
+ /**
+ * Indicates that the client does not require the screen to remain on anymore.
+ *
+ * See {@link #turnScreenOn()} for more information.
+ */
+ public synchronized void releaseScreenOn() {
+ if (!mKeepScreenWakeLock.isHeld()) {
+ return;
+ }
+ mKeepScreenWakeLock.release();
+ }
+
+ /**
* Queues a request to turn off the screen off when the device has been disconnected from a
* power source (usually upon USB disconnected).
*
@@ -124,14 +192,14 @@
public void onReceive(Context context, Intent intent) {
String action = intent.getAction();
- if (mTurnOffScreenOnPowerDisconnected &&
- TextUtils.equals(action, Intent.ACTION_POWER_DISCONNECTED)) {
- turnScreenOff();
-
- // reset the flag after it has triggered once, we try to avoid cases when the test
- // might leave the receiver enabled after itself,
- // this approach still provides a way to multiplex one time requests
- mTurnOffScreenOnPowerDisconnected = false;
+ if (TextUtils.equals(action, Intent.ACTION_POWER_DISCONNECTED)) {
+ if (mTurnOffScreenOnPowerDisconnected) {
+ turnScreenOff();
+ // reset the flag after it has triggered once, we try to avoid cases when the test
+ // might leave the receiver enabled after itself,
+ // this approach still provides a way to multiplex one time requests
+ mTurnOffScreenOnPowerDisconnected = false;
+ }
}
}
}
diff --git a/development/ide/eclipse/.classpath b/development/ide/eclipse/.classpath
index fafcc32..98939ba 100644
--- a/development/ide/eclipse/.classpath
+++ b/development/ide/eclipse/.classpath
@@ -1,101 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
- <classpathentry kind="lib" path="prebuilts/misc/common/ddmlib/ddmlib-prebuilt.jar"/>
- <classpathentry kind="lib" path="prebuilts/misc/common/tradefed/tradefed-prebuilt.jar"/>
- <classpathentry kind="src" path="cts/apps/CtsVerifier/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/appsecurity/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/appsecurity/test-apps/AppWithData/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/monkey/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/monkey/test-apps/CtsMonkeyApp/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/monkey/test-apps/CtsMonkeyApp2/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/sample/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/sample/app/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/theme/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/theme/app/src"/>
- <classpathentry kind="src" path="cts/hostsidetests/usb/src"/>
- <classpathentry kind="src" path="cts/libs/vogar-expect/src"/>
- <classpathentry kind="src" path="cts/libs/commonutil/src"/>
- <classpathentry kind="src" path="cts/libs/deviceutil/src"/>
- <classpathentry kind="src" path="cts/libs/json/src"/>
- <classpathentry kind="src" path="cts/libs/testserver/src"/>
- <classpathentry kind="src" path="cts/libs/wrappedgtest/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/browserbench/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/dram/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/filesystemperf/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/opengl/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/simplecpu/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/ui/src"/>
- <classpathentry kind="src" path="cts/suite/cts/deviceTests/videoperf/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/jank/app/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/jank/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/appA/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/appB/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/control/src"/>
- <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/src"/>
- <classpathentry kind="src" path="cts/tests/ProcessTest/src"/>
- <classpathentry kind="src" path="cts/tests/ProcessTest/NoShareUidApp/src"/>
- <classpathentry kind="src" path="cts/tests/ProcessTest/ShareUidApp/src"/>
- <classpathentry kind="src" path="cts/tests/SignatureTest/src"/>
- <classpathentry kind="src" path="cts/tests/SignatureTest/tests/src"/>
- <classpathentry kind="src" path="cts/tests/acceleration/src"/>
- <classpathentry kind="src" path="cts/tests/core/runner/src"/>
- <classpathentry kind="src" path="cts/tests/deviceadmin/src"/>
- <classpathentry kind="src" path="cts/tests/sample/src"/>
- <classpathentry kind="src" path="cts/tests/src"/>
- <classpathentry kind="src" path="cts/tests/tests/acceleration/src"/>
- <classpathentry kind="src" path="cts/tests/tests/accessibility/src"/>
- <classpathentry kind="src" path="cts/tests/tests/accessibilityservice/src"/>
- <classpathentry kind="src" path="cts/tests/tests/accounts/src"/>
- <classpathentry kind="src" path="cts/tests/tests/admin/src"/>
- <classpathentry kind="src" path="cts/tests/tests/animation/src"/>
- <classpathentry kind="src" path="cts/tests/tests/app/src"/>
- <classpathentry kind="src" path="cts/tests/tests/bluetooth/src"/>
- <classpathentry kind="src" path="cts/tests/tests/content/src"/>
- <classpathentry kind="src" path="cts/tests/tests/database/src"/>
- <classpathentry kind="src" path="cts/tests/tests/dpi/src"/>
- <classpathentry kind="src" path="cts/tests/tests/dpi2/src"/>
- <classpathentry kind="src" path="cts/tests/tests/drm/src"/>
- <classpathentry kind="src" path="cts/tests/tests/gesture/src"/>
- <classpathentry kind="src" path="cts/tests/tests/graphics/src"/>
- <classpathentry kind="src" path="cts/tests/tests/graphics2/src"/>
- <classpathentry kind="src" path="cts/tests/tests/hardware/src"/>
- <classpathentry kind="src" path="cts/tests/tests/jni/src"/>
- <classpathentry kind="src" path="cts/tests/tests/location/src"/>
- <classpathentry kind="src" path="cts/tests/tests/media/src"/>
- <classpathentry kind="src" path="cts/tests/tests/mediastress/src"/>
- <classpathentry kind="src" path="cts/tests/tests/net/src"/>
- <classpathentry kind="src" path="cts/tests/tests/opengl/src"/>
- <classpathentry kind="src" path="cts/tests/tests/openglperf/src"/>
- <classpathentry kind="src" path="cts/tests/tests/os/src"/>
- <classpathentry kind="src" path="cts/tests/tests/permission/src"/>
- <classpathentry kind="src" path="cts/tests/tests/permission2/src"/>
- <classpathentry kind="src" path="cts/tests/tests/preference/src"/>
- <classpathentry kind="src" path="cts/tests/tests/preference2/src"/>
- <classpathentry kind="src" path="cts/tests/tests/provider/src"/>
- <classpathentry kind="src" path="cts/tests/tests/renderscript/src"/>
- <classpathentry kind="src" path="cts/tests/tests/security/src"/>
- <classpathentry kind="src" path="cts/tests/tests/speech/src"/>
- <classpathentry kind="src" path="cts/tests/tests/telephony/src"/>
- <classpathentry kind="src" path="cts/tests/tests/text/src"/>
- <classpathentry kind="src" path="cts/tests/tests/textureview/src"/>
- <classpathentry kind="src" path="cts/tests/tests/util/src"/>
- <classpathentry kind="src" path="cts/tests/tests/view/src"/>
- <classpathentry kind="src" path="cts/tests/tests/webkit/src"/>
- <classpathentry kind="src" path="cts/tests/tests/widget/src"/>
- <classpathentry kind="src" path="cts/tools/cts-api-coverage/src"/>
- <classpathentry kind="src" path="cts/tools/cts-java-scanner/src"/>
- <classpathentry kind="src" path="cts/tools/cts-java-scanner-doclet/src"/>
- <classpathentry kind="src" path="cts/tools/cts-native-scanner/src"/>
- <classpathentry kind="src" path="cts/tools/cts-reference-app-lib/src"/>
- <classpathentry kind="src" path="cts/tools/cts-xml-generator/src"/>
- <classpathentry kind="src" path="cts/tools/dasm/src"/>
- <classpathentry kind="src" path="cts/tools/device-setup/TestDeviceSetup/src"/>
- <classpathentry kind="src" path="cts/tools/dex-tools/src"/>
- <classpathentry kind="src" path="cts/tools/signature-tools/src"/>
- <classpathentry kind="src" path="cts/tools/signature-tools/test"/>
- <classpathentry kind="src" path="cts/tools/tradefed-host/src"/>
- <classpathentry kind="src" path="cts/tools/tradefed-host/tests/src"/>
- <classpathentry kind="src" path="cts/tools/utils"/>
- <classpathentry kind="src" path="cts/tools/vm-tests-tf/src"/>
- <classpathentry kind="src" path="external/easymock/src"/>
+ <classpathentry kind="lib" path="prebuilts/misc/common/ddmlib/ddmlib-prebuilt.jar"/>
+ <classpathentry kind="lib" path="prebuilts/misc/common/tradefed/tradefed-prebuilt.jar"/>
+ <classpathentry kind="src" path="cts/apps/CtsVerifier/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/appsecurity/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/appsecurity/test-apps/AppWithData/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/monkey/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/monkey/test-apps/CtsMonkeyApp/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/monkey/test-apps/CtsMonkeyApp2/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/sample/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/sample/app/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/theme/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/theme/app/src"/>
+ <classpathentry kind="src" path="cts/hostsidetests/usb/src"/>
+ <classpathentry kind="src" path="cts/libs/vogar-expect/src"/>
+ <classpathentry kind="src" path="cts/libs/commonutil/src"/>
+ <classpathentry kind="src" path="cts/libs/deviceutil/src"/>
+ <classpathentry kind="src" path="cts/libs/json/src"/>
+ <classpathentry kind="src" path="cts/libs/testserver/src"/>
+ <classpathentry kind="src" path="cts/libs/wrappedgtest/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/browserbench/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/dram/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/filesystemperf/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/opengl/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/simplecpu/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/ui/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/deviceTests/videoperf/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/jank/app/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/jank/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/appA/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/appB/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/control/src"/>
+ <classpathentry kind="src" path="cts/suite/cts/hostTests/uihost/src"/>
+ <classpathentry kind="src" path="cts/tests/ProcessTest/src"/>
+ <classpathentry kind="src" path="cts/tests/ProcessTest/NoShareUidApp/src"/>
+ <classpathentry kind="src" path="cts/tests/ProcessTest/ShareUidApp/src"/>
+ <classpathentry kind="src" path="cts/tests/signature/src"/>
+ <classpathentry kind="src" path="cts/tests/signature-tests/src"/>
+ <classpathentry kind="src" path="cts/tests/acceleration/src"/>
+ <classpathentry kind="src" path="cts/tests/core/runner/src"/>
+ <classpathentry kind="src" path="cts/tests/deviceadmin/src"/>
+ <classpathentry kind="src" path="cts/tests/sample/src"/>
+ <classpathentry kind="src" path="cts/tests/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/acceleration/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/accessibility/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/accessibilityservice/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/accounts/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/admin/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/animation/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/app/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/bluetooth/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/content/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/database/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/dpi/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/dpi2/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/drm/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/gesture/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/graphics/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/graphics2/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/hardware/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/jni/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/location/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/media/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/mediastress/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/net/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/opengl/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/openglperf/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/os/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/permission/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/permission2/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/preference/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/preference2/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/provider/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/renderscript/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/security/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/speech/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/telephony/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/text/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/textureview/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/util/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/view/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/webkit/src"/>
+ <classpathentry kind="src" path="cts/tests/tests/widget/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-api-coverage/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-java-scanner/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-java-scanner-doclet/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-native-scanner/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-reference-app-lib/src"/>
+ <classpathentry kind="src" path="cts/tools/cts-xml-generator/src"/>
+ <classpathentry kind="src" path="cts/tools/dasm/src"/>
+ <classpathentry kind="src" path="cts/tools/device-setup/TestDeviceSetup/src"/>
+ <classpathentry kind="src" path="cts/tools/dex-tools/src"/>
+ <classpathentry kind="src" path="cts/tools/signature-tools/src"/>
+ <classpathentry kind="src" path="cts/tools/signature-tools/test"/>
+ <classpathentry kind="src" path="cts/tools/tradefed-host/src"/>
+ <classpathentry kind="src" path="cts/tools/tradefed-host/tests/src"/>
+ <classpathentry kind="src" path="cts/tools/utils"/>
+ <classpathentry kind="src" path="cts/tools/vm-tests-tf/src"/>
+ <classpathentry kind="src" path="external/easymock/src"/>
</classpath>
diff --git a/development/ide/eclipse/genclasspath.sh b/development/ide/eclipse/genclasspath.sh
index 00ee9b3..9b90d82 100755
--- a/development/ide/eclipse/genclasspath.sh
+++ b/development/ide/eclipse/genclasspath.sh
@@ -13,6 +13,5 @@
echo '<?xml version="1.0" encoding="UTF-8"?>'
echo '<classpath>'
-cat $ANDROID_BUILD_TOP/cts/development/ide/eclipse/.classpath | grep classpathentry
-cat $ANDROID_BUILD_TOP/development/ide/eclipse/.classpath | grep classpathentry
+cat $ANDROID_BUILD_TOP/cts/development/ide/eclipse/.classpath $ANDROID_BUILD_TOP/development/ide/eclipse/.classpath | grep classpathentry | sort
echo '</classpath>'
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk b/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
similarity index 95%
rename from hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
rename to hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
index baf540b..e621933 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
@@ -16,7 +16,7 @@
include $(CLEAR_VARS)
-LOCAL_PACKAGE_NAME := CtsProfileOwnerApp
+LOCAL_PACKAGE_NAME := CtsDeviceOwnerApp
LOCAL_MODULE_TAGS := optional
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml b/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml
new file mode 100644
index 0000000..7a196bf
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/AndroidManifest.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2014 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.deviceowner" >
+
+ <uses-sdk android:minSdkVersion="20"/>
+
+ <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
+ <uses-permission android:name="android.permission.WRITE_SETTINGS" />
+
+ <application>
+ <uses-library android:name="android.test.runner" />
+ <receiver
+ android:name="com.android.cts.deviceowner.BaseDeviceOwnerTest$BasicAdminReceiver"
+ android:permission="android.permission.BIND_DEVICE_ADMIN">
+ <meta-data android:name="android.app.device_admin"
+ android:resource="@xml/device_admin" />
+ <intent-filter>
+ <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+ </intent-filter>
+ </receiver>
+ <activity android:name="com.android.cts.deviceowner.ExampleIntentReceivingActivity1">
+ <intent-filter>
+ <action android:name="com.android.cts.deviceowner.EXAMPLE_ACTION" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="com.android.cts.deviceowner.ExampleIntentReceivingActivity2">
+ <intent-filter>
+ <action android:name="com.android.cts.deviceowner.EXAMPLE_ACTION" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <activity
+ android:name="com.android.cts.deviceowner.LockTaskUtilityActivity" />
+ <activity
+ android:name="com.android.cts.deviceowner.ApplicationRestrictionActivity" />
+ </application>
+
+ <instrumentation android:name="android.test.InstrumentationTestRunner"
+ android:targetPackage="com.android.cts.deviceowner"
+ android:label="Device Owner CTS tests"/>
+</manifest>
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/res/xml/device_admin.xml b/hostsidetests/devicepolicy/app/DeviceOwner/res/xml/device_admin.xml
new file mode 100644
index 0000000..fe58d38
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/res/xml/device_admin.xml
@@ -0,0 +1,6 @@
+<device-admin xmlns:android="http://schemas.android.com/apk/res/android" android:visible="false">
+ <uses-policies>
+ <reset-password />
+ <limit-password />
+ </uses-policies>
+</device-admin>
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionActivity.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionActivity.java
new file mode 100644
index 0000000..4d8e4f2
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionActivity.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.deviceowner;
+
+import android.app.Activity;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.Bundle;
+import android.os.UserManager;
+
+/**
+ * Test activity for setApplicationRestrictions().
+ *
+ * The actual test will set restrictions for this package, and the purpose of this
+ * activity is to listen for the ACTION_APPLICATION_RESTRICTIONS_CHANGED broadcast
+ * and relay the retrieved restriction bundle back to the test for validation.
+ */
+public class ApplicationRestrictionActivity extends Activity {
+
+ // Incoming intent type
+ public static final String FINISH = "finishActivity";
+
+ // Outgoing broadcast
+ public static final String REGISTERED_ACTION =
+ "com.android.cts.deviceowner.APP_RESTRICTION_REGISTERED";
+ public static final String RESTRICTION_ACTION =
+ "com.android.cts.deviceowner.APP_RESTRICTION_VALUE";
+
+ private UserManager mUserManager;
+
+ private final BroadcastReceiver mAppRestrictionReceiver = new BroadcastReceiver() {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ broadcastRestriction();
+ }
+ };
+
+ private void broadcastRestriction() {
+ Bundle restrictions = mUserManager.getApplicationRestrictions(getPackageName());
+ Intent intent = new Intent(RESTRICTION_ACTION);
+ intent.putExtra("value", restrictions);
+ sendBroadcast(intent);
+ }
+
+ @Override
+ protected void onNewIntent(Intent intent) {
+ super.onNewIntent(intent);
+ handleIntent(intent);
+ }
+
+ @Override
+ protected void onCreate(android.os.Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ handleIntent(getIntent());
+ }
+
+ @Override
+ protected void onResume() {
+ super.onResume();
+ mUserManager = (UserManager) getSystemService(Context.USER_SERVICE);
+ IntentFilter filter = new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);
+ registerReceiver(mAppRestrictionReceiver, filter);
+ sendBroadcast(new Intent(REGISTERED_ACTION));
+ }
+
+ @Override
+ protected void onPause() {
+ super.onPause();
+ unregisterReceiver(mAppRestrictionReceiver);
+ }
+
+ private void handleIntent(Intent intent) {
+ if (intent.getBooleanExtra(FINISH, false)) {
+ finish();
+ }
+ }
+
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionsTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionsTest.java
new file mode 100644
index 0000000..5e03de9
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ApplicationRestrictionsTest.java
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.Bundle;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Functionality tests for setApplicationRestrictions and getApplicationRestrictions
+ * in DevicePolicyManager.
+ *
+ * First of all, these two APIs are executed locally to assert that what you set
+ * can later be retrieved via the getter. It also fires up an external activity
+ * (which runs in com.google.android.xts.gmscore, unlike the test code itself
+ * which runs in the test target package com.google.android.gms due to
+ * instrumentation) to observe an application's view of its restrictions.
+ * The activity listens to ACTION_APPLICATION_RESTRICTIONS_CHANGED broadcast
+ * which is fired by the system whenever its restriction is modified,
+ * and relays the value back to this test for verification.
+ */
+public class ApplicationRestrictionsTest extends BaseDeviceOwnerTest {
+
+ private static final String[] testStrings = new String[] {
+ "<bad/>",
+ ">worse!\"£$%^&*()'<",
+ "<JSON>\"{ \\\"One\\\": { \\\"OneOne\\\": \\\"11\\\", \\\""
+ + "OneTwo\\\": \\\"12\\\" }, \\\"Two\\\": \\\"2\\\" } <JSON/>\""
+ };
+
+ private final Semaphore mOnRegisteredSemaphore = new Semaphore(0);
+ private final Semaphore mOnRestrictionSemaphore = new Semaphore(0);
+ private Bundle mReceivedRestrictions;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ IntentFilter filter = new IntentFilter();
+ filter.addAction(ApplicationRestrictionActivity.REGISTERED_ACTION);
+ filter.addAction(ApplicationRestrictionActivity.RESTRICTION_ACTION);
+ mContext.registerReceiver(mReceiver, filter);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mContext.unregisterReceiver(mReceiver);
+ super.tearDown();
+ }
+
+ public void testSetApplicationRestrictions() {
+ final String CTS_PACKAGE = PACKAGE_NAME;
+ final String OTHER_PACKAGE = CTS_PACKAGE + "dummy";
+
+ startAndWait();
+
+ Bundle bundle0 = createBundle0();
+ Bundle bundle1 = createBundle1();
+
+ // Test setting restrictions
+ mDevicePolicyManager.setApplicationRestrictions(getWho(), CTS_PACKAGE, bundle0);
+ mDevicePolicyManager.setApplicationRestrictions(getWho(), OTHER_PACKAGE, bundle1);
+
+ // Retrieve restrictions locally and make sure they are what we put in.
+ assertBundle0(mDevicePolicyManager.getApplicationRestrictions(getWho(), CTS_PACKAGE));
+ assertBundle1(mDevicePolicyManager.getApplicationRestrictions(getWho(), OTHER_PACKAGE));
+
+ // The test activity should have received a change_restriction broadcast
+ // and relay the value back to us.
+ assertBundle0(waitForChangedRestriction());
+
+ // Test overwriting
+ mDevicePolicyManager.setApplicationRestrictions(getWho(), CTS_PACKAGE, bundle1);
+ assertBundle1(mDevicePolicyManager.getApplicationRestrictions(getWho(), CTS_PACKAGE));
+ assertBundle1(waitForChangedRestriction());
+
+ // Cleanup
+ mDevicePolicyManager.setApplicationRestrictions(getWho(), CTS_PACKAGE, new Bundle());
+ assertTrue(
+ mDevicePolicyManager.getApplicationRestrictions(getWho(), CTS_PACKAGE).isEmpty());
+ assertTrue(waitForChangedRestriction().isEmpty());
+ mDevicePolicyManager.setApplicationRestrictions(getWho(), OTHER_PACKAGE, new Bundle());
+ assertTrue(
+ mDevicePolicyManager.getApplicationRestrictions(getWho(), OTHER_PACKAGE).isEmpty());
+
+ finish();
+ }
+
+ // Should be consistent with assertBundle0
+ private Bundle createBundle0() {
+ Bundle result = new Bundle();
+ // Tests for four allowed types: Integer, Boolean, String and String[]
+ // Also test for string escaping handling
+ result.putBoolean("boolean_0", false);
+ result.putBoolean("boolean_1", true);
+ result.putInt("integer", 0x7fffffff);
+ // If a null is stored, "" will be read back
+ result.putString("empty", "");
+ result.putString("string", "text");
+ result.putStringArray("string[]", testStrings);
+ return result;
+ }
+
+ // Should be consistent with createBundle0
+ private void assertBundle0(Bundle bundle) {
+ assertEquals(6, bundle.size());
+ assertEquals(false, bundle.getBoolean("boolean_0"));
+ assertEquals(true, bundle.getBoolean("boolean_1"));
+ assertEquals(0x7fffffff, bundle.getInt("integer"));
+ assertEquals("", bundle.getString("empty"));
+ assertEquals("text", bundle.getString("string"));
+
+ String[] strings = bundle.getStringArray("string[]");
+ assertTrue(strings != null && strings.length == testStrings.length);
+ for (int i = 0; i < strings.length; i++) {
+ assertEquals(strings[i], testStrings[i]);
+ }
+ }
+
+ // Should be consistent with assertBundle1
+ private Bundle createBundle1() {
+ Bundle result = new Bundle();
+ result.putInt("dummy", 1);
+ return result;
+ }
+
+ // Should be consistent with createBundle1
+ private void assertBundle1(Bundle bundle) {
+ assertEquals(1, bundle.size());
+ assertEquals(1, bundle.getInt("dummy"));
+ }
+
+ private final BroadcastReceiver mReceiver = new BroadcastReceiver() {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ String action = intent.getAction();
+ if (ApplicationRestrictionActivity.REGISTERED_ACTION.equals(action)) {
+ mOnRegisteredSemaphore.release();
+ } else if (ApplicationRestrictionActivity.RESTRICTION_ACTION.equals(action)) {
+ mReceivedRestrictions = intent.getBundleExtra("value");
+ mOnRestrictionSemaphore.release();
+ }
+ }
+ };
+
+ private void startTestActivity(String command) {
+ Intent intent = new Intent();
+ intent.setClassName(PACKAGE_NAME, ApplicationRestrictionActivity.class.getName());
+ intent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP | Intent.FLAG_ACTIVITY_NEW_TASK);
+
+ if (command != null) {
+ intent.putExtra(command, true);
+ }
+ mContext.startActivity(intent);
+ }
+
+ private void startAndWait() {
+ startTestActivity(null);
+ // Wait until the activity has registered its broadcast receiver and ready for incoming
+ // restriction changes.
+ try {
+ assertTrue(mOnRegisteredSemaphore.tryAcquire(5, TimeUnit.SECONDS));
+ } catch (InterruptedException e) {
+ fail("Start ApplicationRestrictionActivity interrupted");
+ }
+ }
+
+ private Bundle waitForChangedRestriction() {
+ try {
+ assertTrue(mOnRestrictionSemaphore.tryAcquire(5, TimeUnit.SECONDS));
+ } catch (InterruptedException e) {
+ fail("getRestrictionsAndWait() interrupted");
+ }
+
+ return mReceivedRestrictions;
+ }
+
+ private void finish() {
+ startTestActivity(ApplicationRestrictionActivity.FINISH);
+ }
+
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/BaseDeviceOwnerTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/BaseDeviceOwnerTest.java
new file mode 100644
index 0000000..e4f5134
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/BaseDeviceOwnerTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import android.app.admin.DeviceAdminReceiver;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Context;
+import android.test.AndroidTestCase;
+
+/**
+ * Base class for device-owner based tests.
+ *
+ * This class handles making sure that the test is the device owner
+ * and that it has an active admin registered, so that all tests may
+ * assume these are done. The admin component can be accessed through
+ * {@link #getWho()}.
+ */
+public class BaseDeviceOwnerTest extends AndroidTestCase {
+
+ public static class BasicAdminReceiver extends DeviceAdminReceiver {
+ }
+
+ public static final String PACKAGE_NAME = BaseDeviceOwnerTest.class.getPackage().getName();
+
+ protected DevicePolicyManager mDevicePolicyManager;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ mDevicePolicyManager = (DevicePolicyManager)
+ mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
+ assertTrue(mDevicePolicyManager.isAdminActive(getWho()));
+ assertTrue(mDevicePolicyManager.isDeviceOwnerApp(PACKAGE_NAME));
+ }
+
+ public static ComponentName getWho() {
+ return new ComponentName(PACKAGE_NAME, BasicAdminReceiver.class.getName());
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/CaCertManagementTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/CaCertManagementTest.java
new file mode 100644
index 0000000..9127dab
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/CaCertManagementTest.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import static com.android.cts.deviceowner.FakeKeys.FAKE_RSA_1;
+import static com.android.cts.deviceowner.FakeKeys.FAKE_DSA_1;
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.Certificate;
+import java.util.List;
+
+public class CaCertManagementTest extends BaseDeviceOwnerTest {
+ public void testCanRetrieveListOfInstalledCaCerts() {
+ List<byte[]> caCerts = mDevicePolicyManager.getInstalledCaCerts(getWho());
+ assertNotNull(caCerts);
+ }
+
+ public void testCanInstallAndUninstallACaCert()
+ throws CertificateException {
+ assertFalse(hasCaCertInstalled(FAKE_RSA_1.caCertificate));
+ assertFalse(hasCaCertInstalled(FAKE_DSA_1.caCertificate));
+ assertTrue(mDevicePolicyManager.installCaCert(getWho(), FAKE_RSA_1.caCertificate));
+ assertTrue(hasCaCertInstalled(FAKE_RSA_1.caCertificate));
+ assertFalse(hasCaCertInstalled(FAKE_DSA_1.caCertificate));
+ mDevicePolicyManager.uninstallCaCert(getWho(), FAKE_RSA_1.caCertificate);
+ assertFalse(hasCaCertInstalled(FAKE_RSA_1.caCertificate));
+ assertFalse(hasCaCertInstalled(FAKE_DSA_1.caCertificate));
+ }
+
+ public void testUninstallationIsSelective() throws CertificateException {
+ assertTrue(mDevicePolicyManager.installCaCert(getWho(), FAKE_RSA_1.caCertificate));
+ assertTrue(mDevicePolicyManager.installCaCert(getWho(), FAKE_DSA_1.caCertificate));
+ mDevicePolicyManager.uninstallCaCert(getWho(), FAKE_DSA_1.caCertificate);
+ assertTrue(hasCaCertInstalled(FAKE_RSA_1.caCertificate));
+ assertFalse(hasCaCertInstalled(FAKE_DSA_1.caCertificate));
+ mDevicePolicyManager.uninstallCaCert(getWho(), FAKE_RSA_1.caCertificate);
+ }
+
+ public void testCanUninstallAllUserCaCerts() throws CertificateException {
+ assertTrue(mDevicePolicyManager.installCaCert(getWho(), FAKE_RSA_1.caCertificate));
+ assertTrue(mDevicePolicyManager.installCaCert(getWho(), FAKE_DSA_1.caCertificate));
+ mDevicePolicyManager.uninstallAllUserCaCerts(getWho());
+ assertFalse(hasCaCertInstalled(FAKE_RSA_1.caCertificate));
+ assertFalse(hasCaCertInstalled(FAKE_DSA_1.caCertificate));
+ }
+
+ private boolean hasCaCertInstalled(byte [] caCert) throws CertificateException {
+ boolean result = mDevicePolicyManager.hasCaCertInstalled(getWho(), caCert);
+ assertEquals(result, containsCertificate(
+ mDevicePolicyManager.getInstalledCaCerts(getWho()), caCert));
+ return result;
+ }
+
+ private static boolean containsCertificate(List<byte[]> certificates, byte [] toMatch)
+ throws CertificateException {
+ Certificate certificateToMatch = readCertificate(toMatch);
+ for (byte[] certBuffer : certificates) {
+ Certificate cert = readCertificate(certBuffer);
+ if (certificateToMatch.equals(cert)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static Certificate readCertificate(byte[] certBuffer) throws CertificateException {
+ final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ return certFactory.generateCertificate(new ByteArrayInputStream(certBuffer));
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ClearDeviceOwnerTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ClearDeviceOwnerTest.java
new file mode 100644
index 0000000..f10124a
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ClearDeviceOwnerTest.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.deviceowner;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Context;
+import android.test.AndroidTestCase;
+
+public class ClearDeviceOwnerTest extends AndroidTestCase {
+
+ private DevicePolicyManager mDevicePolicyManager;
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDevicePolicyManager = (DevicePolicyManager)
+ mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
+ if (mDevicePolicyManager != null) {
+ removeActiveAdmin(BaseDeviceOwnerTest.getWho());
+ if (mDevicePolicyManager.isDeviceOwnerApp(BaseDeviceOwnerTest.PACKAGE_NAME)) {
+ mDevicePolicyManager.clearDeviceOwnerApp(BaseDeviceOwnerTest.PACKAGE_NAME);
+ }
+ assertFalse(mDevicePolicyManager.isAdminActive(BaseDeviceOwnerTest.getWho()));
+ assertFalse(mDevicePolicyManager.isDeviceOwnerApp(BaseDeviceOwnerTest.PACKAGE_NAME));
+ }
+
+ super.tearDown();
+ }
+
+ // This test clears the device owner and active admin on tearDown(). To be called from the host
+ // side test once a test case is finished.
+ public void testClearDeviceOwner() {
+ }
+
+ private void removeActiveAdmin(ComponentName cn) throws InterruptedException {
+ if (mDevicePolicyManager.isAdminActive(cn)) {
+ mDevicePolicyManager.removeActiveAdmin(cn);
+ for (int i = 0; i < 1000 && mDevicePolicyManager.isAdminActive(cn); i++) {
+ Thread.sleep(100);
+ }
+ }
+ }
+}
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/DeviceOwnerSetupTest.java
similarity index 62%
copy from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java
copy to hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/DeviceOwnerSetupTest.java
index d24d691..e6441ef 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/DeviceOwnerSetupTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 The Android Open Source Project
+ * Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,11 +14,14 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package com.android.cts.deviceowner;
-/**
-* This class is used as reference data for the JDiffClassDescriptionTest tests.
-*/
-public abstract class AbstractClass {
+
+public class DeviceOwnerSetupTest extends BaseDeviceOwnerTest {
+
+ // This test verifies that the setup assertions are working to verify
+ // we are the device owner and have a valid active admin.
+ public void testEmptyTest() {
+ }
}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity1.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity1.java
new file mode 100644
index 0000000..03ca9a4
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity1.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.deviceowner;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class ExampleIntentReceivingActivity1 extends Activity {
+ public static final String CONFIRM_ACTION = "com.android.cts.deviceowner.CONFIRM_1";
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ if (getIntent().getAction().equals(PersistentIntentResolvingTest.EXAMPLE_ACTION)) {
+ sendBroadcast(new Intent(CONFIRM_ACTION));
+ }
+ finish();
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity2.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity2.java
new file mode 100644
index 0000000..65ccb36
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ExampleIntentReceivingActivity2.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.deviceowner;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class ExampleIntentReceivingActivity2 extends Activity {
+ public static final String CONFIRM_ACTION = "com.android.cts.deviceowner.CONFIRM_2";
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ if (getIntent().getAction().equals(PersistentIntentResolvingTest.EXAMPLE_ACTION)) {
+ sendBroadcast(new Intent(CONFIRM_ACTION));
+ }
+ finish();
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/FakeKeys.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/FakeKeys.java
new file mode 100644
index 0000000..11df8e5
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/FakeKeys.java
@@ -0,0 +1,469 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+// Copied from cts/tests/tests/keystore/src/android/keystore/cts/AndroidKeyStoreTest.java
+
+public class FakeKeys {
+ /*
+ * The keys and certificates below are generated with:
+ *
+ * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem
+ * openssl req -newkey rsa:1024 -keyout userkey.pem -nodes -days 3650 -out userkey.req
+ * mkdir -p demoCA/newcerts
+ * touch demoCA/index.txt
+ * echo "01" > demoCA/serial
+ * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650
+ */
+ public static class FAKE_RSA_1 {
+ /**
+ * Generated from above and converted with:
+ *
+ * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g'
+ */
+ public static final byte[] privateKey = {
+ (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x78, (byte) 0x02, (byte) 0x01,
+ (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a,
+ (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01,
+ (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x82,
+ (byte) 0x02, (byte) 0x62, (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x5e,
+ (byte) 0x02, (byte) 0x01, (byte) 0x00, (byte) 0x02, (byte) 0x81, (byte) 0x81,
+ (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, (byte) 0x5b,
+ (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, (byte) 0x66,
+ (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, (byte) 0x8a,
+ (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, (byte) 0x02,
+ (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, (byte) 0xf3,
+ (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, (byte) 0x6d,
+ (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, (byte) 0x67,
+ (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, (byte) 0xcb,
+ (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, (byte) 0xe2,
+ (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, (byte) 0x79,
+ (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, (byte) 0xce,
+ (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, (byte) 0x08,
+ (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, (byte) 0x3b,
+ (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, (byte) 0xc4,
+ (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, (byte) 0x0d,
+ (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, (byte) 0x23,
+ (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, (byte) 0x08,
+ (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, (byte) 0xf1,
+ (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, (byte) 0xb4,
+ (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, (byte) 0x16,
+ (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, (byte) 0x9e,
+ (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, (byte) 0x01,
+ (byte) 0x00, (byte) 0x01, (byte) 0x02, (byte) 0x81, (byte) 0x80, (byte) 0x16,
+ (byte) 0x59, (byte) 0xc3, (byte) 0x24, (byte) 0x1d, (byte) 0x33, (byte) 0x98,
+ (byte) 0x9c, (byte) 0xc9, (byte) 0xc8, (byte) 0x2c, (byte) 0x88, (byte) 0xbf,
+ (byte) 0x0a, (byte) 0x01, (byte) 0xce, (byte) 0xfb, (byte) 0x34, (byte) 0x7a,
+ (byte) 0x58, (byte) 0x7a, (byte) 0xb0, (byte) 0xbf, (byte) 0xa6, (byte) 0xb2,
+ (byte) 0x60, (byte) 0xbe, (byte) 0x70, (byte) 0x21, (byte) 0xf5, (byte) 0xfc,
+ (byte) 0x85, (byte) 0x0d, (byte) 0x33, (byte) 0x58, (byte) 0xa1, (byte) 0xe5,
+ (byte) 0x09, (byte) 0x36, (byte) 0x84, (byte) 0xb2, (byte) 0x04, (byte) 0x0a,
+ (byte) 0x02, (byte) 0xd3, (byte) 0x88, (byte) 0x1f, (byte) 0x0c, (byte) 0x2b,
+ (byte) 0x1d, (byte) 0xe9, (byte) 0x3d, (byte) 0xe7, (byte) 0x79, (byte) 0xf9,
+ (byte) 0x32, (byte) 0x5c, (byte) 0x8a, (byte) 0x75, (byte) 0x49, (byte) 0x12,
+ (byte) 0xe4, (byte) 0x05, (byte) 0x26, (byte) 0xd4, (byte) 0x2e, (byte) 0x9e,
+ (byte) 0x1f, (byte) 0xcc, (byte) 0x54, (byte) 0xad, (byte) 0x33, (byte) 0x8d,
+ (byte) 0x99, (byte) 0x00, (byte) 0xdc, (byte) 0xf5, (byte) 0xb4, (byte) 0xa2,
+ (byte) 0x2f, (byte) 0xba, (byte) 0xe5, (byte) 0x62, (byte) 0x30, (byte) 0x6d,
+ (byte) 0xe6, (byte) 0x3d, (byte) 0xeb, (byte) 0x24, (byte) 0xc2, (byte) 0xdc,
+ (byte) 0x5f, (byte) 0xb7, (byte) 0x16, (byte) 0x35, (byte) 0xa3, (byte) 0x98,
+ (byte) 0x98, (byte) 0xa8, (byte) 0xef, (byte) 0xe8, (byte) 0xc4, (byte) 0x96,
+ (byte) 0x6d, (byte) 0x38, (byte) 0xab, (byte) 0x26, (byte) 0x6d, (byte) 0x30,
+ (byte) 0xc2, (byte) 0xa0, (byte) 0x44, (byte) 0xe4, (byte) 0xff, (byte) 0x7e,
+ (byte) 0xbe, (byte) 0x7c, (byte) 0x33, (byte) 0xa5, (byte) 0x10, (byte) 0xad,
+ (byte) 0xd7, (byte) 0x1e, (byte) 0x13, (byte) 0x20, (byte) 0xb3, (byte) 0x1f,
+ (byte) 0x41, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xf1, (byte) 0x89,
+ (byte) 0x07, (byte) 0x0f, (byte) 0xe8, (byte) 0xcf, (byte) 0xab, (byte) 0x13,
+ (byte) 0x2a, (byte) 0x8f, (byte) 0x88, (byte) 0x80, (byte) 0x11, (byte) 0x9a,
+ (byte) 0x79, (byte) 0xb6, (byte) 0x59, (byte) 0x3a, (byte) 0x50, (byte) 0x6e,
+ (byte) 0x57, (byte) 0x37, (byte) 0xab, (byte) 0x2a, (byte) 0xd2, (byte) 0xaa,
+ (byte) 0xd9, (byte) 0x72, (byte) 0x73, (byte) 0xff, (byte) 0x8b, (byte) 0x47,
+ (byte) 0x76, (byte) 0xdd, (byte) 0xdc, (byte) 0xf5, (byte) 0x97, (byte) 0x44,
+ (byte) 0x3a, (byte) 0x78, (byte) 0xbe, (byte) 0x17, (byte) 0xb4, (byte) 0x22,
+ (byte) 0x6f, (byte) 0xe5, (byte) 0x23, (byte) 0x70, (byte) 0x1d, (byte) 0x10,
+ (byte) 0x5d, (byte) 0xba, (byte) 0x16, (byte) 0x81, (byte) 0xf1, (byte) 0x45,
+ (byte) 0xce, (byte) 0x30, (byte) 0xb4, (byte) 0xab, (byte) 0x80, (byte) 0xe4,
+ (byte) 0x98, (byte) 0x31, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xda,
+ (byte) 0x82, (byte) 0x9d, (byte) 0x3f, (byte) 0xca, (byte) 0x2f, (byte) 0xe1,
+ (byte) 0xd4, (byte) 0x86, (byte) 0x77, (byte) 0x48, (byte) 0xa6, (byte) 0xab,
+ (byte) 0xab, (byte) 0x1c, (byte) 0x42, (byte) 0x5c, (byte) 0xd5, (byte) 0xc7,
+ (byte) 0x46, (byte) 0x59, (byte) 0x91, (byte) 0x3f, (byte) 0xfc, (byte) 0xcc,
+ (byte) 0xec, (byte) 0xc2, (byte) 0x40, (byte) 0x12, (byte) 0x2c, (byte) 0x8d,
+ (byte) 0x1f, (byte) 0xa2, (byte) 0x18, (byte) 0x88, (byte) 0xee, (byte) 0x82,
+ (byte) 0x4a, (byte) 0x5a, (byte) 0x5e, (byte) 0x88, (byte) 0x20, (byte) 0xe3,
+ (byte) 0x7b, (byte) 0xe0, (byte) 0xd8, (byte) 0x3a, (byte) 0x52, (byte) 0x9a,
+ (byte) 0x26, (byte) 0x6a, (byte) 0x04, (byte) 0xec, (byte) 0xe8, (byte) 0xb9,
+ (byte) 0x48, (byte) 0x40, (byte) 0xe1, (byte) 0xe1, (byte) 0x83, (byte) 0xa6,
+ (byte) 0x67, (byte) 0xa6, (byte) 0xfd, (byte) 0x02, (byte) 0x41, (byte) 0x00,
+ (byte) 0x89, (byte) 0x72, (byte) 0x3e, (byte) 0xb0, (byte) 0x90, (byte) 0xfd,
+ (byte) 0x4c, (byte) 0x0e, (byte) 0xd6, (byte) 0x13, (byte) 0x63, (byte) 0xcb,
+ (byte) 0xed, (byte) 0x38, (byte) 0x88, (byte) 0xb6, (byte) 0x79, (byte) 0xc4,
+ (byte) 0x33, (byte) 0x6c, (byte) 0xf6, (byte) 0xf8, (byte) 0xd8, (byte) 0xd0,
+ (byte) 0xbf, (byte) 0x9d, (byte) 0x35, (byte) 0xac, (byte) 0x69, (byte) 0xd2,
+ (byte) 0x2b, (byte) 0xc1, (byte) 0xf9, (byte) 0x24, (byte) 0x7b, (byte) 0xce,
+ (byte) 0xcd, (byte) 0xcb, (byte) 0xa7, (byte) 0xb2, (byte) 0x7a, (byte) 0x0a,
+ (byte) 0x27, (byte) 0x19, (byte) 0xc9, (byte) 0xaf, (byte) 0x0d, (byte) 0x21,
+ (byte) 0x89, (byte) 0x88, (byte) 0x7c, (byte) 0xad, (byte) 0x9e, (byte) 0x8d,
+ (byte) 0x47, (byte) 0x6d, (byte) 0x3f, (byte) 0xce, (byte) 0x7b, (byte) 0xa1,
+ (byte) 0x74, (byte) 0xf1, (byte) 0xa0, (byte) 0xa1, (byte) 0x02, (byte) 0x41,
+ (byte) 0x00, (byte) 0xd9, (byte) 0xa8, (byte) 0xf5, (byte) 0xfe, (byte) 0xce,
+ (byte) 0xe6, (byte) 0x77, (byte) 0x6b, (byte) 0xfe, (byte) 0x2d, (byte) 0xe0,
+ (byte) 0x1e, (byte) 0xb6, (byte) 0x2e, (byte) 0x12, (byte) 0x4e, (byte) 0x40,
+ (byte) 0xaf, (byte) 0x6a, (byte) 0x7b, (byte) 0x37, (byte) 0x49, (byte) 0x2a,
+ (byte) 0x96, (byte) 0x25, (byte) 0x83, (byte) 0x49, (byte) 0xd4, (byte) 0x0c,
+ (byte) 0xc6, (byte) 0x78, (byte) 0x25, (byte) 0x24, (byte) 0x90, (byte) 0x90,
+ (byte) 0x06, (byte) 0x15, (byte) 0x9e, (byte) 0xfe, (byte) 0xf9, (byte) 0xdf,
+ (byte) 0x5b, (byte) 0xf3, (byte) 0x7e, (byte) 0x38, (byte) 0x70, (byte) 0xeb,
+ (byte) 0x57, (byte) 0xd0, (byte) 0xd9, (byte) 0xa7, (byte) 0x0e, (byte) 0x14,
+ (byte) 0xf7, (byte) 0x95, (byte) 0x68, (byte) 0xd5, (byte) 0xc8, (byte) 0xab,
+ (byte) 0x9d, (byte) 0x3a, (byte) 0x2b, (byte) 0x51, (byte) 0xf9, (byte) 0x02,
+ (byte) 0x41, (byte) 0x00, (byte) 0x96, (byte) 0xdf, (byte) 0xe9, (byte) 0x67,
+ (byte) 0x6c, (byte) 0xdc, (byte) 0x90, (byte) 0x14, (byte) 0xb4, (byte) 0x1d,
+ (byte) 0x22, (byte) 0x33, (byte) 0x4a, (byte) 0x31, (byte) 0xc1, (byte) 0x9d,
+ (byte) 0x2e, (byte) 0xff, (byte) 0x9a, (byte) 0x2a, (byte) 0x95, (byte) 0x4b,
+ (byte) 0x27, (byte) 0x74, (byte) 0xcb, (byte) 0x21, (byte) 0xc3, (byte) 0xd2,
+ (byte) 0x0b, (byte) 0xb2, (byte) 0x46, (byte) 0x87, (byte) 0xf8, (byte) 0x28,
+ (byte) 0x01, (byte) 0x8b, (byte) 0xd8, (byte) 0xb9, (byte) 0x4b, (byte) 0xcd,
+ (byte) 0x9a, (byte) 0x96, (byte) 0x41, (byte) 0x0e, (byte) 0x36, (byte) 0x6d,
+ (byte) 0x40, (byte) 0x42, (byte) 0xbc, (byte) 0xd9, (byte) 0xd3, (byte) 0x7b,
+ (byte) 0xbc, (byte) 0xa7, (byte) 0x92, (byte) 0x90, (byte) 0xdd, (byte) 0xa1,
+ (byte) 0x9c, (byte) 0xce, (byte) 0xa1, (byte) 0x87, (byte) 0x11, (byte) 0x51
+ };
+
+ /**
+ * Generated from above and converted with:
+ *
+ * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
+ */
+ public static final byte[] caCertificate = {
+ (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0xce, (byte) 0x30, (byte) 0x82,
+ (byte) 0x02, (byte) 0x37, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
+ (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0x6a,
+ (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, (byte) 0x55, (byte) 0x48, (byte) 0x0a,
+ (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
+ (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
+ (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31,
+ (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53,
+ (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03,
+ (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43,
+ (byte) 0x41, (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06,
+ (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d,
+ (byte) 0x4d, (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61,
+ (byte) 0x69, (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65,
+ (byte) 0x77, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06,
+ (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12,
+ (byte) 0x41, (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69,
+ (byte) 0x64, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74,
+ (byte) 0x20, (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73,
+ (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32,
+ (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x34, (byte) 0x31, (byte) 0x36,
+ (byte) 0x35, (byte) 0x35, (byte) 0x34, (byte) 0x34, (byte) 0x5a, (byte) 0x17,
+ (byte) 0x0d, (byte) 0x32, (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31,
+ (byte) 0x32, (byte) 0x31, (byte) 0x36, (byte) 0x35, (byte) 0x35, (byte) 0x34,
+ (byte) 0x34, (byte) 0x5a, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b,
+ (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
+ (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31,
+ (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41,
+ (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03,
+ (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d,
+ (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69,
+ (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77,
+ (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03,
+ (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41,
+ (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64,
+ (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20,
+ (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30,
+ (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
+ (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
+ (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03,
+ (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89,
+ (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa3, (byte) 0x72,
+ (byte) 0xab, (byte) 0xd0, (byte) 0xe4, (byte) 0xad, (byte) 0x2f, (byte) 0xe7,
+ (byte) 0xe2, (byte) 0x79, (byte) 0x07, (byte) 0x36, (byte) 0x3d, (byte) 0x0c,
+ (byte) 0x8d, (byte) 0x42, (byte) 0x9a, (byte) 0x0a, (byte) 0x33, (byte) 0x64,
+ (byte) 0xb3, (byte) 0xcd, (byte) 0xb2, (byte) 0xd7, (byte) 0x3a, (byte) 0x42,
+ (byte) 0x06, (byte) 0x77, (byte) 0x45, (byte) 0x29, (byte) 0xe9, (byte) 0xcb,
+ (byte) 0xb7, (byte) 0x4a, (byte) 0xd6, (byte) 0xee, (byte) 0xad, (byte) 0x01,
+ (byte) 0x91, (byte) 0x9b, (byte) 0x0c, (byte) 0x59, (byte) 0xa1, (byte) 0x03,
+ (byte) 0xfa, (byte) 0xf0, (byte) 0x5a, (byte) 0x7c, (byte) 0x4f, (byte) 0xf7,
+ (byte) 0x8d, (byte) 0x36, (byte) 0x0f, (byte) 0x1f, (byte) 0x45, (byte) 0x7d,
+ (byte) 0x1b, (byte) 0x31, (byte) 0xa1, (byte) 0x35, (byte) 0x0b, (byte) 0x00,
+ (byte) 0xed, (byte) 0x7a, (byte) 0xb6, (byte) 0xc8, (byte) 0x4e, (byte) 0xa9,
+ (byte) 0x86, (byte) 0x4c, (byte) 0x7b, (byte) 0x99, (byte) 0x57, (byte) 0x41,
+ (byte) 0x12, (byte) 0xef, (byte) 0x6b, (byte) 0xbc, (byte) 0x3d, (byte) 0x60,
+ (byte) 0xf2, (byte) 0x99, (byte) 0x1a, (byte) 0xcd, (byte) 0xed, (byte) 0x56,
+ (byte) 0xa4, (byte) 0xe5, (byte) 0x36, (byte) 0x9f, (byte) 0x24, (byte) 0x1f,
+ (byte) 0xdc, (byte) 0x89, (byte) 0x40, (byte) 0xc8, (byte) 0x99, (byte) 0x92,
+ (byte) 0xab, (byte) 0x4a, (byte) 0xb5, (byte) 0x61, (byte) 0x45, (byte) 0x62,
+ (byte) 0xff, (byte) 0xa3, (byte) 0x45, (byte) 0x65, (byte) 0xaf, (byte) 0xf6,
+ (byte) 0x27, (byte) 0x30, (byte) 0x51, (byte) 0x0e, (byte) 0x0e, (byte) 0xeb,
+ (byte) 0x79, (byte) 0x0c, (byte) 0xbe, (byte) 0xb3, (byte) 0x0a, (byte) 0x6f,
+ (byte) 0x29, (byte) 0x06, (byte) 0xdc, (byte) 0x2f, (byte) 0x6b, (byte) 0x51,
+ (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3,
+ (byte) 0x81, (byte) 0xb1, (byte) 0x30, (byte) 0x81, (byte) 0xae, (byte) 0x30,
+ (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e,
+ (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x33, (byte) 0x05,
+ (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, (byte) 0xc7, (byte) 0xf9,
+ (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, (byte) 0x8f, (byte) 0x6d,
+ (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, (byte) 0x5d, (byte) 0x51,
+ (byte) 0x30, (byte) 0x7f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d,
+ (byte) 0x23, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x80,
+ (byte) 0x14, (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f,
+ (byte) 0x60, (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73,
+ (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97,
+ (byte) 0x8e, (byte) 0x5d, (byte) 0x51, (byte) 0xa1, (byte) 0x53, (byte) 0xa4,
+ (byte) 0x51, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
+ (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
+ (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b,
+ (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
+ (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31,
+ (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f,
+ (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e,
+ (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31,
+ (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e,
+ (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20,
+ (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43,
+ (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x82, (byte) 0x09,
+ (byte) 0x00, (byte) 0xe1, (byte) 0x6a, (byte) 0xa2, (byte) 0xf4, (byte) 0x2e,
+ (byte) 0x55, (byte) 0x48, (byte) 0x0a, (byte) 0x30, (byte) 0x0c, (byte) 0x06,
+ (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05,
+ (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30,
+ (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48,
+ (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05,
+ (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00,
+ (byte) 0x8c, (byte) 0x30, (byte) 0x42, (byte) 0xfa, (byte) 0xeb, (byte) 0x1a,
+ (byte) 0x26, (byte) 0xeb, (byte) 0xda, (byte) 0x56, (byte) 0x32, (byte) 0xf2,
+ (byte) 0x9d, (byte) 0xa5, (byte) 0x24, (byte) 0xd8, (byte) 0x3a, (byte) 0xda,
+ (byte) 0x30, (byte) 0xa6, (byte) 0x8b, (byte) 0x46, (byte) 0xfe, (byte) 0xfe,
+ (byte) 0xdb, (byte) 0xf1, (byte) 0xe6, (byte) 0xe1, (byte) 0x7c, (byte) 0x1b,
+ (byte) 0xe7, (byte) 0x77, (byte) 0x00, (byte) 0xa1, (byte) 0x1c, (byte) 0x19,
+ (byte) 0x17, (byte) 0x73, (byte) 0xb0, (byte) 0xf0, (byte) 0x9d, (byte) 0xf3,
+ (byte) 0x4f, (byte) 0xb6, (byte) 0xbc, (byte) 0xc7, (byte) 0x47, (byte) 0x85,
+ (byte) 0x2a, (byte) 0x4a, (byte) 0xa1, (byte) 0xa5, (byte) 0x58, (byte) 0xf5,
+ (byte) 0xc5, (byte) 0x1a, (byte) 0x51, (byte) 0xb1, (byte) 0x04, (byte) 0x80,
+ (byte) 0xee, (byte) 0x3a, (byte) 0xec, (byte) 0x2f, (byte) 0xe1, (byte) 0xfd,
+ (byte) 0x58, (byte) 0xeb, (byte) 0xed, (byte) 0x82, (byte) 0x9e, (byte) 0x38,
+ (byte) 0xa3, (byte) 0x24, (byte) 0x75, (byte) 0xf7, (byte) 0x3e, (byte) 0xc2,
+ (byte) 0xc5, (byte) 0x27, (byte) 0xeb, (byte) 0x6f, (byte) 0x7b, (byte) 0x50,
+ (byte) 0xda, (byte) 0x43, (byte) 0xdc, (byte) 0x3b, (byte) 0x0b, (byte) 0x6f,
+ (byte) 0x78, (byte) 0x8f, (byte) 0xb0, (byte) 0x66, (byte) 0xe1, (byte) 0x12,
+ (byte) 0x87, (byte) 0x5f, (byte) 0x97, (byte) 0x7b, (byte) 0xca, (byte) 0x14,
+ (byte) 0x79, (byte) 0xf7, (byte) 0xe8, (byte) 0x6c, (byte) 0x72, (byte) 0xdb,
+ (byte) 0x91, (byte) 0x65, (byte) 0x17, (byte) 0x54, (byte) 0xe0, (byte) 0x74,
+ (byte) 0x1d, (byte) 0xac, (byte) 0x47, (byte) 0x04, (byte) 0x12, (byte) 0xe0,
+ (byte) 0xc3, (byte) 0x66, (byte) 0x19, (byte) 0x05, (byte) 0x2e, (byte) 0x7e,
+ (byte) 0xf1, (byte) 0x61
+ };
+ }
+
+ /*
+ * The keys and certificates below are generated with:
+ *
+ * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem
+ * openssl dsaparam -out dsaparam.pem 1024
+ * openssl req -newkey dsa:dsaparam.pem -keyout userkey.pem -nodes -days 3650 -out userkey.req
+ * mkdir -p demoCA/newcerts
+ * touch demoCA/index.txt
+ * echo "01" > demoCA/serial
+ * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650
+ */
+ public static class FAKE_DSA_1 {
+ /**
+ * Generated from above and converted with: openssl pkcs8 -topk8 -outform d
+ * -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g'
+ */
+ public static final byte[] privateKey = {
+ (byte) 0x30, (byte) 0x82, (byte) 0x01, (byte) 0x4c, (byte) 0x02, (byte) 0x01,
+ (byte) 0x00, (byte) 0x30, (byte) 0x82, (byte) 0x01, (byte) 0x2c, (byte) 0x06,
+ (byte) 0x07, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x38,
+ (byte) 0x04, (byte) 0x01, (byte) 0x30, (byte) 0x82, (byte) 0x01, (byte) 0x1f,
+ (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xb3, (byte) 0x23,
+ (byte) 0xf7, (byte) 0x86, (byte) 0xbd, (byte) 0x3b, (byte) 0x86, (byte) 0xcc,
+ (byte) 0xc3, (byte) 0x91, (byte) 0xc0, (byte) 0x30, (byte) 0x32, (byte) 0x02,
+ (byte) 0x47, (byte) 0x35, (byte) 0x01, (byte) 0xef, (byte) 0xee, (byte) 0x98,
+ (byte) 0x13, (byte) 0x56, (byte) 0x49, (byte) 0x47, (byte) 0xb5, (byte) 0x20,
+ (byte) 0xa8, (byte) 0x60, (byte) 0xcb, (byte) 0xc0, (byte) 0xd5, (byte) 0x77,
+ (byte) 0xc1, (byte) 0x69, (byte) 0xcd, (byte) 0x18, (byte) 0x34, (byte) 0x92,
+ (byte) 0xf2, (byte) 0x6a, (byte) 0x2a, (byte) 0x10, (byte) 0x59, (byte) 0x1c,
+ (byte) 0x91, (byte) 0x20, (byte) 0x51, (byte) 0xca, (byte) 0x37, (byte) 0xb2,
+ (byte) 0x87, (byte) 0xa6, (byte) 0x8a, (byte) 0x02, (byte) 0xfd, (byte) 0x45,
+ (byte) 0x46, (byte) 0xf9, (byte) 0x76, (byte) 0xb1, (byte) 0x35, (byte) 0x38,
+ (byte) 0x8d, (byte) 0xff, (byte) 0x4c, (byte) 0x5d, (byte) 0x75, (byte) 0x8f,
+ (byte) 0x66, (byte) 0x15, (byte) 0x7d, (byte) 0x7b, (byte) 0xda, (byte) 0xdb,
+ (byte) 0x57, (byte) 0x39, (byte) 0xff, (byte) 0x91, (byte) 0x3f, (byte) 0xdd,
+ (byte) 0xe2, (byte) 0xb4, (byte) 0x22, (byte) 0x60, (byte) 0x4c, (byte) 0x32,
+ (byte) 0x3b, (byte) 0x9d, (byte) 0x34, (byte) 0x9f, (byte) 0xb9, (byte) 0x5d,
+ (byte) 0x75, (byte) 0xb9, (byte) 0xd3, (byte) 0x7f, (byte) 0x11, (byte) 0xba,
+ (byte) 0xb7, (byte) 0xc8, (byte) 0x32, (byte) 0xc6, (byte) 0xce, (byte) 0x71,
+ (byte) 0x91, (byte) 0xd3, (byte) 0x32, (byte) 0xaf, (byte) 0x4d, (byte) 0x7e,
+ (byte) 0x7c, (byte) 0x15, (byte) 0xf7, (byte) 0x71, (byte) 0x2c, (byte) 0x52,
+ (byte) 0x65, (byte) 0x4d, (byte) 0xa9, (byte) 0x81, (byte) 0x25, (byte) 0x35,
+ (byte) 0xce, (byte) 0x0b, (byte) 0x5b, (byte) 0x56, (byte) 0xfe, (byte) 0xf1,
+ (byte) 0x02, (byte) 0x15, (byte) 0x00, (byte) 0xeb, (byte) 0x4e, (byte) 0x7f,
+ (byte) 0x7a, (byte) 0x31, (byte) 0xb3, (byte) 0x7d, (byte) 0x8d, (byte) 0xb2,
+ (byte) 0xf7, (byte) 0xaf, (byte) 0xad, (byte) 0xb1, (byte) 0x42, (byte) 0x92,
+ (byte) 0xf3, (byte) 0x6c, (byte) 0xe4, (byte) 0xed, (byte) 0x8b, (byte) 0x02,
+ (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x81, (byte) 0xc8, (byte) 0x36,
+ (byte) 0x48, (byte) 0xdb, (byte) 0x71, (byte) 0x2b, (byte) 0x91, (byte) 0xce,
+ (byte) 0x6d, (byte) 0xbc, (byte) 0xb8, (byte) 0xf9, (byte) 0xcb, (byte) 0x50,
+ (byte) 0x91, (byte) 0x10, (byte) 0x8a, (byte) 0xf8, (byte) 0x37, (byte) 0x50,
+ (byte) 0xda, (byte) 0x4f, (byte) 0xc8, (byte) 0x4d, (byte) 0x73, (byte) 0xcb,
+ (byte) 0x4d, (byte) 0xb0, (byte) 0x19, (byte) 0x54, (byte) 0x5a, (byte) 0xf3,
+ (byte) 0x6c, (byte) 0xc9, (byte) 0xd8, (byte) 0x96, (byte) 0xd9, (byte) 0xb0,
+ (byte) 0x54, (byte) 0x7e, (byte) 0x7d, (byte) 0xe2, (byte) 0x58, (byte) 0x0e,
+ (byte) 0x5f, (byte) 0xc0, (byte) 0xce, (byte) 0xb9, (byte) 0x5c, (byte) 0xe3,
+ (byte) 0xd3, (byte) 0xdf, (byte) 0xcf, (byte) 0x45, (byte) 0x74, (byte) 0xfb,
+ (byte) 0xe6, (byte) 0x20, (byte) 0xe7, (byte) 0xfc, (byte) 0x0f, (byte) 0xca,
+ (byte) 0xdb, (byte) 0xc0, (byte) 0x0b, (byte) 0xe1, (byte) 0x5a, (byte) 0x16,
+ (byte) 0x1d, (byte) 0xb3, (byte) 0x2e, (byte) 0xe5, (byte) 0x5f, (byte) 0x89,
+ (byte) 0x17, (byte) 0x73, (byte) 0x50, (byte) 0xd1, (byte) 0x4a, (byte) 0x60,
+ (byte) 0xb7, (byte) 0xaa, (byte) 0xf0, (byte) 0xc7, (byte) 0xc5, (byte) 0x03,
+ (byte) 0x4e, (byte) 0x36, (byte) 0x51, (byte) 0x9e, (byte) 0x2f, (byte) 0xfa,
+ (byte) 0xf3, (byte) 0xd6, (byte) 0x58, (byte) 0x14, (byte) 0x02, (byte) 0xb4,
+ (byte) 0x41, (byte) 0xd6, (byte) 0x72, (byte) 0x6f, (byte) 0x58, (byte) 0x5b,
+ (byte) 0x2d, (byte) 0x23, (byte) 0xc0, (byte) 0x75, (byte) 0x4f, (byte) 0x39,
+ (byte) 0xa8, (byte) 0x6a, (byte) 0xdf, (byte) 0x79, (byte) 0x21, (byte) 0xf2,
+ (byte) 0x77, (byte) 0x91, (byte) 0x3f, (byte) 0x1c, (byte) 0x4d, (byte) 0x48,
+ (byte) 0x78, (byte) 0xcd, (byte) 0xed, (byte) 0x79, (byte) 0x23, (byte) 0x04,
+ (byte) 0x17, (byte) 0x02, (byte) 0x15, (byte) 0x00, (byte) 0xc7, (byte) 0xe7,
+ (byte) 0xe2, (byte) 0x6b, (byte) 0x14, (byte) 0xe6, (byte) 0x31, (byte) 0x12,
+ (byte) 0xb2, (byte) 0x1e, (byte) 0xd4, (byte) 0xf2, (byte) 0x9b, (byte) 0x2c,
+ (byte) 0xf6, (byte) 0x54, (byte) 0x4c, (byte) 0x12, (byte) 0xe8, (byte) 0x22
+
+ };
+
+ /**
+ * Generated from above and converted with:
+ *
+ * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
+ */
+ public static final byte[] caCertificate = new byte[] {
+ (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x8a, (byte) 0x30, (byte) 0x82,
+ (byte) 0x01, (byte) 0xf3, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
+ (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0x87, (byte) 0xc0,
+ (byte) 0x68, (byte) 0x7f, (byte) 0x42, (byte) 0x92, (byte) 0x0b, (byte) 0x7a,
+ (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
+ (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
+ (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x5e, (byte) 0x31,
+ (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55,
+ (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03,
+ (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53,
+ (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74,
+ (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30,
+ (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a,
+ (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65,
+ (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57,
+ (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73,
+ (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c,
+ (byte) 0x74, (byte) 0x64, (byte) 0x31, (byte) 0x17, (byte) 0x30, (byte) 0x15,
+ (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c,
+ (byte) 0x0e, (byte) 0x63, (byte) 0x61, (byte) 0x2e, (byte) 0x65, (byte) 0x78,
+ (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x65, (byte) 0x2e,
+ (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30, (byte) 0x1e, (byte) 0x17,
+ (byte) 0x0d, (byte) 0x31, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32,
+ (byte) 0x37, (byte) 0x32, (byte) 0x33, (byte) 0x33, (byte) 0x31, (byte) 0x32,
+ (byte) 0x39, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, (byte) 0x33,
+ (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x35, (byte) 0x32, (byte) 0x33,
+ (byte) 0x33, (byte) 0x31, (byte) 0x32, (byte) 0x39, (byte) 0x5a, (byte) 0x30,
+ (byte) 0x5e, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06,
+ (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02,
+ (byte) 0x41, (byte) 0x55, (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11,
+ (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c,
+ (byte) 0x0a, (byte) 0x53, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d,
+ (byte) 0x53, (byte) 0x74, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31,
+ (byte) 0x21, (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e,
+ (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74,
+ (byte) 0x20, (byte) 0x57, (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69,
+ (byte) 0x74, (byte) 0x73, (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79,
+ (byte) 0x20, (byte) 0x4c, (byte) 0x74, (byte) 0x64, (byte) 0x31, (byte) 0x17,
+ (byte) 0x30, (byte) 0x15, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
+ (byte) 0x03, (byte) 0x0c, (byte) 0x0e, (byte) 0x63, (byte) 0x61, (byte) 0x2e,
+ (byte) 0x65, (byte) 0x78, (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c,
+ (byte) 0x65, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30,
+ (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
+ (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
+ (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03,
+ (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89,
+ (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa4, (byte) 0xc7,
+ (byte) 0x06, (byte) 0xba, (byte) 0xdf, (byte) 0x2b, (byte) 0xee, (byte) 0xd2,
+ (byte) 0xb9, (byte) 0xe4, (byte) 0x52, (byte) 0x21, (byte) 0x68, (byte) 0x2b,
+ (byte) 0x83, (byte) 0xdf, (byte) 0xe3, (byte) 0x9c, (byte) 0x08, (byte) 0x73,
+ (byte) 0xdd, (byte) 0x90, (byte) 0xea, (byte) 0x97, (byte) 0x0c, (byte) 0x96,
+ (byte) 0x20, (byte) 0xb1, (byte) 0xee, (byte) 0x11, (byte) 0xd5, (byte) 0xd4,
+ (byte) 0x7c, (byte) 0x44, (byte) 0x96, (byte) 0x2e, (byte) 0x6e, (byte) 0xa2,
+ (byte) 0xb2, (byte) 0xa3, (byte) 0x4b, (byte) 0x0f, (byte) 0x32, (byte) 0x90,
+ (byte) 0xaf, (byte) 0x5c, (byte) 0x6f, (byte) 0x00, (byte) 0x88, (byte) 0x45,
+ (byte) 0x4e, (byte) 0x9b, (byte) 0x26, (byte) 0xc1, (byte) 0x94, (byte) 0x3c,
+ (byte) 0xfe, (byte) 0x10, (byte) 0xbd, (byte) 0xda, (byte) 0xf2, (byte) 0x8d,
+ (byte) 0x03, (byte) 0x52, (byte) 0x32, (byte) 0x11, (byte) 0xff, (byte) 0xf6,
+ (byte) 0xf9, (byte) 0x6e, (byte) 0x8f, (byte) 0x0f, (byte) 0xc8, (byte) 0x0a,
+ (byte) 0x48, (byte) 0x39, (byte) 0x33, (byte) 0xb9, (byte) 0x0c, (byte) 0xb3,
+ (byte) 0x2b, (byte) 0xab, (byte) 0x7d, (byte) 0x79, (byte) 0x6f, (byte) 0x57,
+ (byte) 0x5b, (byte) 0xb8, (byte) 0x84, (byte) 0xb6, (byte) 0xcc, (byte) 0xe8,
+ (byte) 0x30, (byte) 0x78, (byte) 0xff, (byte) 0x92, (byte) 0xe5, (byte) 0x43,
+ (byte) 0x2e, (byte) 0xef, (byte) 0x66, (byte) 0x98, (byte) 0xb4, (byte) 0xfe,
+ (byte) 0xa2, (byte) 0x40, (byte) 0xf2, (byte) 0x1f, (byte) 0xd0, (byte) 0x86,
+ (byte) 0x16, (byte) 0xc8, (byte) 0x45, (byte) 0xc4, (byte) 0x52, (byte) 0xcb,
+ (byte) 0x31, (byte) 0x5c, (byte) 0x9f, (byte) 0x32, (byte) 0x3b, (byte) 0xf7,
+ (byte) 0x19, (byte) 0x08, (byte) 0xc7, (byte) 0x00, (byte) 0x21, (byte) 0x7d,
+ (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3,
+ (byte) 0x50, (byte) 0x30, (byte) 0x4e, (byte) 0x30, (byte) 0x1d, (byte) 0x06,
+ (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16,
+ (byte) 0x04, (byte) 0x14, (byte) 0x47, (byte) 0x82, (byte) 0xa3, (byte) 0xf1,
+ (byte) 0xc2, (byte) 0x7e, (byte) 0x3a, (byte) 0xde, (byte) 0x4f, (byte) 0x30,
+ (byte) 0x4c, (byte) 0x7f, (byte) 0x72, (byte) 0x81, (byte) 0x15, (byte) 0x32,
+ (byte) 0xda, (byte) 0x7f, (byte) 0x58, (byte) 0x18, (byte) 0x30, (byte) 0x1f,
+ (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04,
+ (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x47,
+ (byte) 0x82, (byte) 0xa3, (byte) 0xf1, (byte) 0xc2, (byte) 0x7e, (byte) 0x3a,
+ (byte) 0xde, (byte) 0x4f, (byte) 0x30, (byte) 0x4c, (byte) 0x7f, (byte) 0x72,
+ (byte) 0x81, (byte) 0x15, (byte) 0x32, (byte) 0xda, (byte) 0x7f, (byte) 0x58,
+ (byte) 0x18, (byte) 0x30, (byte) 0x0c, (byte) 0x06, (byte) 0x03, (byte) 0x55,
+ (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05, (byte) 0x30, (byte) 0x03,
+ (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30, (byte) 0x0d, (byte) 0x06,
+ (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7,
+ (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00,
+ (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x08, (byte) 0x7f,
+ (byte) 0x6a, (byte) 0x48, (byte) 0x90, (byte) 0x7b, (byte) 0x9b, (byte) 0x72,
+ (byte) 0x13, (byte) 0xa7, (byte) 0xef, (byte) 0x6b, (byte) 0x0b, (byte) 0x59,
+ (byte) 0xe5, (byte) 0x49, (byte) 0x72, (byte) 0x3a, (byte) 0xc8, (byte) 0x84,
+ (byte) 0xcc, (byte) 0x23, (byte) 0x18, (byte) 0x4c, (byte) 0xec, (byte) 0xc7,
+ (byte) 0xef, (byte) 0xcb, (byte) 0xa7, (byte) 0xbe, (byte) 0xe4, (byte) 0xef,
+ (byte) 0x8f, (byte) 0xc6, (byte) 0x06, (byte) 0x8c, (byte) 0xc0, (byte) 0xe4,
+ (byte) 0x2f, (byte) 0x2a, (byte) 0xc0, (byte) 0x35, (byte) 0x7d, (byte) 0x5e,
+ (byte) 0x19, (byte) 0x29, (byte) 0x8c, (byte) 0xb9, (byte) 0xf1, (byte) 0x1e,
+ (byte) 0xaf, (byte) 0x82, (byte) 0xd8, (byte) 0xe3, (byte) 0x88, (byte) 0xe1,
+ (byte) 0x31, (byte) 0xc8, (byte) 0x82, (byte) 0x1f, (byte) 0x83, (byte) 0xa9,
+ (byte) 0xde, (byte) 0xfe, (byte) 0x4b, (byte) 0xe2, (byte) 0x78, (byte) 0x64,
+ (byte) 0xed, (byte) 0xa4, (byte) 0x7b, (byte) 0xee, (byte) 0x8d, (byte) 0x71,
+ (byte) 0x1b, (byte) 0x44, (byte) 0xe6, (byte) 0xb7, (byte) 0xe8, (byte) 0xc5,
+ (byte) 0x9a, (byte) 0x93, (byte) 0x92, (byte) 0x6f, (byte) 0x6f, (byte) 0xdb,
+ (byte) 0xbd, (byte) 0xd7, (byte) 0x03, (byte) 0x85, (byte) 0xa9, (byte) 0x5f,
+ (byte) 0x53, (byte) 0x5f, (byte) 0x5d, (byte) 0x30, (byte) 0xc6, (byte) 0xd9,
+ (byte) 0xce, (byte) 0x34, (byte) 0xa8, (byte) 0xbe, (byte) 0x31, (byte) 0x47,
+ (byte) 0x1c, (byte) 0xa4, (byte) 0x7f, (byte) 0xc0, (byte) 0x2c, (byte) 0xbc,
+ (byte) 0xfe, (byte) 0x1a, (byte) 0x31, (byte) 0xd8, (byte) 0x77, (byte) 0x4d,
+ (byte) 0xfc, (byte) 0x45, (byte) 0x84, (byte) 0xfc, (byte) 0x45, (byte) 0x12,
+ (byte) 0xab, (byte) 0x50, (byte) 0xe4, (byte) 0x45, (byte) 0xe5, (byte) 0x11
+ };
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/KeyManagementTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/KeyManagementTest.java
new file mode 100644
index 0000000..fe2bdda
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/KeyManagementTest.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import static com.android.cts.deviceowner.FakeKeys.FAKE_RSA_1;
+
+import android.app.admin.DevicePolicyManager;
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.Certificate;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+
+public class KeyManagementTest extends BaseDeviceOwnerTest {
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ assertTrue(mDevicePolicyManager.resetPassword("test", 0));
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDevicePolicyManager.setPasswordQuality(getWho(),
+ DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED);
+ mDevicePolicyManager.setPasswordMinimumLength(getWho(), 0);
+ assertTrue(mDevicePolicyManager.resetPassword("", 0));
+ super.tearDown();
+ }
+
+ public void testCanInstallValidRsaKeypair()
+ throws CertificateException, NoSuchAlgorithmException, InvalidKeySpecException {
+ final String alias = "com.android.test.valid-rsa-key-1";
+ final PrivateKey privKey = getPrivateKey(FAKE_RSA_1.privateKey , "RSA");
+ final Certificate cert = getCertificate(FAKE_RSA_1.caCertificate);
+ assertTrue(mDevicePolicyManager.installKeyPair(getWho(), privKey, cert, alias));
+ }
+
+ public void testNullKeyParamsFailGracefully()
+ throws CertificateException, NoSuchAlgorithmException, InvalidKeySpecException {
+ final String alias = "com.android.test.null-key-1";
+ final PrivateKey privKey = getPrivateKey(FAKE_RSA_1.privateKey, "RSA");
+ final Certificate cert = getCertificate(FAKE_RSA_1.caCertificate);
+ try {
+ assertFalse(mDevicePolicyManager.installKeyPair(getWho(), null, cert, alias));
+ } catch (NullPointerException accept) {
+ // Accept either false return value or NPE
+ }
+ try {
+ assertFalse(mDevicePolicyManager.installKeyPair(getWho(), privKey, null, alias));
+ } catch (NullPointerException accept) {
+ // Accept either false return value or NPE
+ }
+ }
+
+ public void testNullAdminComponentIsDenied()
+ throws CertificateException, NoSuchAlgorithmException, InvalidKeySpecException {
+ final String alias = "com.android.test.null-admin-1";
+ final PrivateKey privKey = getPrivateKey(FAKE_RSA_1.privateKey, "RSA");
+ final Certificate cert = getCertificate(FAKE_RSA_1.caCertificate);
+ try {
+ assertFalse(mDevicePolicyManager.installKeyPair(null, privKey, cert, alias));
+ fail("Exception should have been thrown for null ComponentName");
+ } catch (SecurityException | NullPointerException expected) {
+ }
+ }
+
+ PrivateKey getPrivateKey(final byte[] key, String type)
+ throws NoSuchAlgorithmException, InvalidKeySpecException {
+ return KeyFactory.getInstance(type).generatePrivate(
+ new PKCS8EncodedKeySpec(key));
+ }
+
+ Certificate getCertificate(byte[] cert) throws CertificateException {
+ return CertificateFactory.getInstance("X.509").generateCertificate(
+ new ByteArrayInputStream(cert));
+ }
+
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskTest.java
new file mode 100644
index 0000000..c0ca8e2
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskTest.java
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import android.app.ActivityManager;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.provider.Settings;
+
+// This is not a standard test of an android activity (such as
+// ActivityInstrumentationTestCase2) as it is attempting to test the actual
+// life cycle and how it is affected by lock task, rather than mock intents
+// and setup.
+public class LockTaskTest extends BaseDeviceOwnerTest {
+
+ private static final String TEST_PACKAGE = "com.google.android.example.somepackage";
+
+ /**
+ * The tests below need to keep detailed track of the state of the activity
+ * that is started and stopped frequently. To do this it sends a number of
+ * broadcasts that are caught here and translated into booleans (as well as
+ * notify some locks in case we are waiting). There is also an action used
+ * to specify that the activity has finished handling the current command
+ * (INTENT_ACTION).
+ */
+ private final BroadcastReceiver mReceiver = new BroadcastReceiver() {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ String action = intent.getAction();
+ if (LockTaskUtilityActivity.CREATE_ACTION.equals(action)) {
+ synchronized (mActivityRunningLock) {
+ mIsActivityRunning = true;
+ mActivityRunningLock.notify();
+ }
+ } else if (LockTaskUtilityActivity.DESTROY_ACTION.equals(action)) {
+ synchronized (mActivityRunningLock) {
+ mIsActivityRunning = false;
+ mActivityRunningLock.notify();
+ }
+ } else if (LockTaskUtilityActivity.RESUME_ACTION.equals(action)) {
+ synchronized (mActivityResumedLock) {
+ mIsActivityResumed = true;
+ mActivityResumedLock.notify();
+ }
+ } else if (LockTaskUtilityActivity.PAUSE_ACTION.equals(action)) {
+ synchronized (mActivityResumedLock) {
+ mIsActivityResumed = false;
+ mActivityResumedLock.notify();
+ }
+ } else if (LockTaskUtilityActivity.INTENT_ACTION.equals(action)) {
+ // Notify that intent has been handled.
+ synchronized (LockTaskTest.this) {
+ mIntentHandled = true;
+ LockTaskTest.this.notify();
+ }
+ }
+ }
+ };
+
+ private boolean mIsActivityRunning;
+ private boolean mIsActivityResumed;
+ private final Object mActivityRunningLock = new Object();
+ private final Object mActivityResumedLock = new Object();
+ private Boolean mIntentHandled;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ IntentFilter filter = new IntentFilter();
+ filter.addAction(LockTaskUtilityActivity.CREATE_ACTION);
+ filter.addAction(LockTaskUtilityActivity.DESTROY_ACTION);
+ filter.addAction(LockTaskUtilityActivity.INTENT_ACTION);
+ filter.addAction(LockTaskUtilityActivity.RESUME_ACTION);
+ filter.addAction(LockTaskUtilityActivity.PAUSE_ACTION);
+ mContext.registerReceiver(mReceiver, filter);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mContext.unregisterReceiver(mReceiver);
+ super.tearDown();
+ }
+
+ public void testSetLockTaskPackages() {
+ mDevicePolicyManager.setLockTaskPackages(getWho(), new String[] { TEST_PACKAGE });
+ assertTrue(mDevicePolicyManager.isLockTaskPermitted(TEST_PACKAGE));
+
+ mDevicePolicyManager.setLockTaskPackages(getWho(), new String[0]);
+ assertFalse(mDevicePolicyManager.isLockTaskPermitted(TEST_PACKAGE));
+ }
+
+ // Start lock task, verify that ActivityManager knows thats what is going on.
+ public void testStartLockTask() {
+ mDevicePolicyManager.setLockTaskPackages(getWho(), new String[] { PACKAGE_NAME });
+ startLockTask();
+ waitForResume();
+
+ // Verify that activity open and activity manager is in lock task.
+ ActivityManager activityManager = (ActivityManager)
+ mContext.getSystemService(Context.ACTIVITY_SERVICE);
+ assertTrue(activityManager.isInLockTaskMode());
+ assertTrue(mIsActivityRunning);
+ assertTrue(mIsActivityResumed);
+
+ stopAndFinish(activityManager);
+ }
+
+ // Verifies that the act of finishing is blocked by ActivityManager in lock task.
+ // This results in onDestroy not being called until stopLockTask is called before finish.
+ public void testCannotFinish() {
+ mDevicePolicyManager.setLockTaskPackages(getWho(), new String[] { PACKAGE_NAME });
+ startLockTask();
+
+ // If lock task has not exited then the activity shouldn't actually receive onDestroy.
+ finishAndWait();
+ ActivityManager activityManager = (ActivityManager)
+ mContext.getSystemService(Context.ACTIVITY_SERVICE);
+ assertTrue(activityManager.isInLockTaskMode());
+ assertTrue(mIsActivityRunning);
+
+ stopAndFinish(activityManager);
+ }
+
+ // This test has the UtilityActivity trigger starting another activity (settings)
+ // this should be permitted as a part of lock task (since it isn't a new task).
+ // As a result onPause should be called as it goes to a new activity.
+// TODO: Reinstate once we make this test not flaky (if fails on Nexus 7 v2 most of the time,
+// especially if testCannotStartActivityOutsideTask() is commented out.
+// public void testStartActivityWithinTask() {
+// mDevicePolicyManager.setLockTaskPackages(getWho(), new String[] { PACKAGE_NAME });
+// startLockTask();
+// waitForResume();
+//
+// Intent launchIntent = new Intent(Settings.ACTION_SETTINGS);
+// Intent lockTaskUtility = getLockTaskUtility();
+// lockTaskUtility.putExtra(LockTaskUtilityActivity.START_ACTIVITY, launchIntent);
+// mContext.startActivity(lockTaskUtility);
+//
+// synchronized (mActivityResumedLock) {
+// if (mIsActivityResumed) {
+// try {
+// mActivityResumedLock.wait(60000);
+// } catch (InterruptedException e) {
+// }
+// assertFalse(mIsActivityResumed);
+// }
+// }
+// stopAndFinish(null);
+// }
+
+ // This launches an activity that is not part of the current task and therefore
+ // should be blocked. This is verified by making sure that the activity does
+ // not get a call to onPause.
+// TODO: Reinstate once we make this test not flaky (if fails on Nexus 7 v2 most of the time)
+// public void testCannotStartActivityOutsideTask() {
+// mDevicePolicyManager.setLockTaskPackages(getWho(), new String[] { PACKAGE_NAME });
+// startLockTask();
+// waitForResume();
+//
+// Intent launchIntent = new Intent(Settings.ACTION_SETTINGS);
+// launchIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+// mContext.startActivity(launchIntent);
+//
+// synchronized (mActivityResumedLock) {
+// try {
+// mActivityResumedLock.wait(90000);
+// } catch (InterruptedException e) {
+// }
+// assertTrue(mIsActivityResumed);
+// }
+// stopAndFinish(null);
+// }
+
+ /**
+ * Call stopLockTask and finish on the LockTaskUtilityActivity.
+ *
+ * Verify that the activity is no longer running.
+ *
+ * If activityManager is not null then verify that the ActivityManager
+ * is no longer in lock task mode.
+ */
+ private void stopAndFinish(ActivityManager activityManager) {
+ stopLockTask();
+ finishAndWait();
+ if (activityManager != null) {
+ assertFalse(activityManager.isInLockTaskMode());
+ }
+ assertFalse(mIsActivityRunning);
+ }
+
+ /**
+ * Call finish on the LockTaskUtilityActivity and wait for
+ * onDestroy to be called.
+ */
+ private void finishAndWait() {
+ synchronized (mActivityRunningLock) {
+ finish();
+ if (mIsActivityRunning) {
+ try {
+ mActivityRunningLock.wait(20000);
+ } catch (InterruptedException e) {
+ }
+ }
+ }
+ }
+
+ /**
+ * Wait for onPause to be called on the LockTaskUtilityActivity.
+ */
+ private void waitForResume() {
+ // It may take a moment for the resume to come in.
+ synchronized (mActivityResumedLock) {
+ if (!mIsActivityResumed) {
+ try {
+ mActivityResumedLock.wait(20000);
+ } catch (InterruptedException e) {
+ }
+ }
+ }
+ }
+
+ /**
+ * Calls startLockTask on the LockTaskUtilityActivity
+ */
+ private void startLockTask() {
+ Intent intent = getLockTaskUtility();
+ intent.putExtra(LockTaskUtilityActivity.START_LOCK_TASK, true);
+ startAndWait(intent);
+ }
+
+ /**
+ * Calls stopLockTask on the LockTaskUtilityActivity
+ */
+ private void stopLockTask() {
+ Intent intent = getLockTaskUtility();
+ intent.putExtra(LockTaskUtilityActivity.STOP_LOCK_TASK, true);
+ startAndWait(intent);
+ }
+
+ /**
+ * Calls finish on the LockTaskUtilityActivity
+ */
+ private void finish() {
+ Intent intent = getLockTaskUtility();
+ intent.putExtra(LockTaskUtilityActivity.FINISH, true);
+ startAndWait(intent);
+ }
+
+ /**
+ * Sends a command intent to the LockTaskUtilityActivity and waits
+ * to receive the broadcast back confirming it has finished processing
+ * the command.
+ */
+ private void startAndWait(Intent intent) {
+ mIntentHandled = false;
+ synchronized (this) {
+ mContext.startActivity(intent);
+ // Give 20 secs to finish.
+ try {
+ wait(20000);
+ } catch (InterruptedException e) {
+ }
+ assertTrue(mIntentHandled);
+ }
+ }
+
+ /**
+ * Get basic intent that points at the LockTaskUtilityActivity.
+ *
+ * This intent includes the flags to make it act as single top.
+ */
+ private Intent getLockTaskUtility() {
+ Intent intent = new Intent();
+ intent.setClassName(PACKAGE_NAME, LockTaskUtilityActivity.class.getName());
+ intent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP | Intent.FLAG_ACTIVITY_NEW_TASK);
+ return intent;
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskUtilityActivity.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskUtilityActivity.java
new file mode 100644
index 0000000..2901f5b
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/LockTaskUtilityActivity.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.deviceowner;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class LockTaskUtilityActivity extends Activity {
+
+ public static final String START_LOCK_TASK = "startLockTask";
+ public static final String STOP_LOCK_TASK = "stopLockTask";
+ public static final String START_ACTIVITY = "startActivity";
+ public static final String FINISH = "finish";
+
+ public static final String CREATE_ACTION = "com.android.cts.deviceowner.LOCK_TASK_CREATE";
+ public static final String DESTROY_ACTION = "com.android.cts.deviceowner.LOCK_TASK_DESTROY";
+ public static final String PAUSE_ACTION = "com.android.cts.deviceowner.LOCK_TASK_PAUSE";
+ public static final String RESUME_ACTION = "com.android.cts.deviceowner.LOCK_TASK_RESUME";
+ public static final String INTENT_ACTION = "com.android.cts.deviceowner.LOCK_TASK_INTENT";
+
+ @Override
+ protected void onNewIntent(Intent intent) {
+ super.onNewIntent(intent);
+ handleIntent(intent);
+ }
+
+ @Override
+ protected void onCreate(android.os.Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ sendBroadcast(new Intent(CREATE_ACTION));
+ handleIntent(getIntent());
+ }
+
+ @Override
+ protected void onDestroy() {
+ sendBroadcast(new Intent(DESTROY_ACTION));
+ super.onDestroy();
+ }
+
+ @Override
+ protected void onResume() {
+ sendBroadcast(new Intent(RESUME_ACTION));
+ super.onResume();
+ }
+
+ @Override
+ protected void onPause() {
+ sendBroadcast(new Intent(PAUSE_ACTION));
+ super.onPause();
+ }
+
+ private void handleIntent(Intent intent) {
+ if (intent.getBooleanExtra(START_LOCK_TASK, false)) {
+ startLockTask();
+ }
+ if (intent.getBooleanExtra(STOP_LOCK_TASK, false)) {
+ stopLockTask();
+ }
+ if (intent.hasExtra(START_ACTIVITY)) {
+ Intent i = intent.getParcelableExtra(START_ACTIVITY);
+ startActivity(i);
+ }
+ if (intent.getBooleanExtra(FINISH, false)) {
+ finish();
+ }
+ sendBroadcast(new Intent(INTENT_ACTION));
+ }
+
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/PersistentIntentResolvingTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/PersistentIntentResolvingTest.java
new file mode 100644
index 0000000..fcef05f
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/PersistentIntentResolvingTest.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import android.content.BroadcastReceiver;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.SystemClock;
+
+public class PersistentIntentResolvingTest extends BaseDeviceOwnerTest {
+ public static final String EXAMPLE_ACTION = "com.android.cts.deviceowner.EXAMPLE_ACTION";
+
+ private boolean mReceivedConfirmationFrom1;
+ private boolean mReceivedConfirmationFrom2;
+ private BroadcastReceiver mReceiver;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ IntentFilter filter = new IntentFilter();
+ filter.addAction(ExampleIntentReceivingActivity1.CONFIRM_ACTION);
+ filter.addAction(ExampleIntentReceivingActivity2.CONFIRM_ACTION);
+
+ mReceiver = new ConfirmReceiver();
+ mContext.registerReceiver(mReceiver, filter);
+
+ synchronized(this) {
+ mReceivedConfirmationFrom1 = false;
+ mReceivedConfirmationFrom2 = false;
+ }
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDevicePolicyManager.clearPackagePersistentPreferredActivities(getWho(), PACKAGE_NAME);
+ mContext.unregisterReceiver(mReceiver);
+
+ super.tearDown();
+ }
+
+ public void testNoPersistentPreferredActivityYieldsResolverActivity() {
+ sendExampleIntent();
+ SystemClock.sleep(5000);
+
+ // Default behavior: intent results in resolver activity, since there are two potential
+ // receivers. No intent is received.
+ synchronized(this) {
+ assertFalse(mReceivedConfirmationFrom1);
+ assertFalse(mReceivedConfirmationFrom2);
+ }
+ }
+
+ public void testAddPersistentPreferredActivityYieldsReceptionAtTarget() {
+ addPersistentPreferredActivity();
+ sendExampleIntent();
+ SystemClock.sleep(5000);
+
+ // Persistent preferred activity present: intent should be received by activity 2.
+ synchronized(this) {
+ assertFalse(mReceivedConfirmationFrom1);
+ assertTrue(mReceivedConfirmationFrom2);
+ }
+ }
+
+ public void testAddAndClearPersistentPreferredActivitiesYieldsResolverActivity() {
+ addPersistentPreferredActivity();
+ mDevicePolicyManager.clearPackagePersistentPreferredActivities(getWho(), PACKAGE_NAME);
+
+ sendExampleIntent();
+ SystemClock.sleep(5000);
+
+ // Default behavior: intent results in resolver activity, since there are two potential
+ // receivers. No intent is received.
+ synchronized(this) {
+ assertFalse(mReceivedConfirmationFrom1);
+ assertFalse(mReceivedConfirmationFrom2);
+ }
+ }
+
+ public class ConfirmReceiver extends BroadcastReceiver {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ if (intent.getAction().equals(ExampleIntentReceivingActivity1.CONFIRM_ACTION)) {
+ synchronized (PersistentIntentResolvingTest.this) {
+ mReceivedConfirmationFrom1 = true;
+ }
+ } else if (intent.getAction().equals(ExampleIntentReceivingActivity2
+ .CONFIRM_ACTION)) {
+ synchronized (PersistentIntentResolvingTest.this) {
+ mReceivedConfirmationFrom2 = true;
+ }
+ }
+ }
+ }
+
+ private void sendExampleIntent() {
+ Intent exampleIntent = new Intent(EXAMPLE_ACTION);
+ exampleIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ mContext.startActivity(exampleIntent);
+ }
+
+ private void addPersistentPreferredActivity() {
+ IntentFilter filter = new IntentFilter();
+ filter.addAction(EXAMPLE_ACTION);
+ filter.addCategory(Intent.CATEGORY_DEFAULT);
+ ComponentName targetComponent = new ComponentName(PACKAGE_NAME,
+ ExampleIntentReceivingActivity2.class.getName());
+ mDevicePolicyManager.addPersistentPreferredActivity(getWho(), filter, targetComponent);
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ScreenCaptureDisabledTest.java b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ScreenCaptureDisabledTest.java
new file mode 100644
index 0000000..59b9773
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/src/com/android/cts/deviceowner/ScreenCaptureDisabledTest.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.deviceowner;
+
+import android.app.admin.DevicePolicyManager;
+
+/**
+ * Tests for {@link DevicePolicyManager#setScreenCaptureDisabled} and
+ * {@link DevicePolicyManager#getScreenCaptureDisabled} APIs.
+ */
+public class ScreenCaptureDisabledTest extends BaseDeviceOwnerTest {
+
+ public void testSetScreenCaptureDisabled_false() throws Exception {
+ mDevicePolicyManager.setScreenCaptureDisabled(getWho(), false);
+ assertFalse(mDevicePolicyManager.getScreenCaptureDisabled(getWho()));
+ }
+
+ public void testSetScreenCaptureDisabled_true() throws Exception {
+ mDevicePolicyManager.setScreenCaptureDisabled(getWho(), true);
+ assertTrue(mDevicePolicyManager.getScreenCaptureDisabled(getWho()));
+ }
+
+ public void testSetScreenCaptureDisabled_anyAdminTrue() {
+ mDevicePolicyManager.setScreenCaptureDisabled(getWho(), true);
+ assertTrue(mDevicePolicyManager.getScreenCaptureDisabled(null /* any admin */));
+ }
+
+ public void testSetScreenCaptureDisabled_anyAdminFalse() {
+ mDevicePolicyManager.setScreenCaptureDisabled(getWho(), false);
+ assertFalse(mDevicePolicyManager.getScreenCaptureDisabled(null /* any admin */));
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk b/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
similarity index 95%
copy from hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
copy to hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
index baf540b..00dace0 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
@@ -16,7 +16,7 @@
include $(CLEAR_VARS)
-LOCAL_PACKAGE_NAME := CtsProfileOwnerApp
+LOCAL_PACKAGE_NAME := CtsManagedProfileApp
LOCAL_MODULE_TAGS := optional
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/AndroidManifest.xml b/hostsidetests/devicepolicy/app/ManagedProfile/AndroidManifest.xml
new file mode 100644
index 0000000..2c11b5c
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/AndroidManifest.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2014 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.managedprofile">
+
+ <uses-sdk android:minSdkVersion="20"/>
+
+ <application>
+ <uses-library android:name="android.test.runner" />
+ <receiver
+ android:name="com.android.cts.managedprofile.BaseManagedProfileTest$BasicAdminReceiver"
+ android:permission="android.permission.BIND_DEVICE_ADMIN">
+ <meta-data android:name="android.app.device_admin"
+ android:resource="@xml/device_admin" />
+ <intent-filter>
+ <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+ </intent-filter>
+ </receiver>
+ <activity android:name=".PrimaryUserFilterSetterActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <action android:name="com.android.cts.managedprofile.ACTION_TEST_SET_FILTERS" />
+ <category android:name="android.intent.category.DEFAULT"/>
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ <activity android:name=".ManagedProfileActivity">
+ <intent-filter>
+ <category android:name="android.intent.category.DEFAULT"/>
+ <action android:name="com.android.cts.managedprofile.ACTION_TEST_MANAGED_ACTIVITY" />
+ </intent-filter>
+ </activity>
+ <activity android:name=".PrimaryUserActivity">
+ <intent-filter>
+ <category android:name="android.intent.category.DEFAULT"/>
+ <action android:name="com.android.cts.managedprofile.ACTION_TEST_PRIMARY_ACTIVITY" />
+ </intent-filter>
+ </activity>
+ <activity android:name=".AllUsersActivity">
+ <intent-filter>
+ <category android:name="android.intent.category.DEFAULT"/>
+ <action android:name="com.android.cts.managedprofile.ACTION_TEST_ALL_ACTIVITY" />
+ </intent-filter>
+ </activity>
+ </application>
+
+ <instrumentation android:name="android.test.InstrumentationTestRunner"
+ android:targetPackage="com.android.cts.managedprofile"
+ android:label="Managed Profile CTS Tests"/>
+</manifest>
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/res/values/strings.xml b/hostsidetests/devicepolicy/app/ManagedProfile/res/values/strings.xml
similarity index 100%
rename from hostsidetests/devicepolicy/app/ProfileOwner/res/values/strings.xml
rename to hostsidetests/devicepolicy/app/ManagedProfile/res/values/strings.xml
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/res/xml/device_admin.xml b/hostsidetests/devicepolicy/app/ManagedProfile/res/xml/device_admin.xml
similarity index 100%
rename from hostsidetests/devicepolicy/app/ProfileOwner/res/xml/device_admin.xml
rename to hostsidetests/devicepolicy/app/ManagedProfile/res/xml/device_admin.xml
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/BaseProfileOwnerTest.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/BaseManagedProfileTest.java
similarity index 78%
rename from hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/BaseProfileOwnerTest.java
rename to hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/BaseManagedProfileTest.java
index e7ccc74..8a2a6ec 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/BaseProfileOwnerTest.java
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/BaseManagedProfileTest.java
@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package com.android.cts.profileowner;
+package com.android.cts.managedprofile;
import android.app.admin.DeviceAdminReceiver;
import android.app.admin.DevicePolicyManager;
@@ -27,7 +27,7 @@
* This class handles making sure that the test is the profile owner and that it has an active admin
* registered, so that all tests may assume these are done.
*/
-public class BaseProfileOwnerTest extends AndroidTestCase {
+public class BaseManagedProfileTest extends AndroidTestCase {
public static class BasicAdminReceiver extends DeviceAdminReceiver {
}
@@ -44,9 +44,11 @@
mDevicePolicyManager = (DevicePolicyManager)
mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
assertNotNull(mDevicePolicyManager);
- // TODO: Only check this if we are running as the profile user. Otherwise, maybe check
- // that there is a profile and that the below holds for it? If we don't want to do these
- // checks, we could get rid for this class altogether.
+
+ // TODO: Only check the below if we are running as the profile user. If running under the
+ // user owner, can we check that there is a profile and that the below holds for it? If we
+ // don't want to do these checks every time we could get rid of this class altogether and
+ // just have a single test case running under the profile user that do them.
assertTrue(mDevicePolicyManager.isAdminActive(ADMIN_RECEIVER_COMPONENT));
assertTrue(mDevicePolicyManager.isProfileOwnerApp(
ADMIN_RECEIVER_COMPONENT.getPackageName()));
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/ProfileOwnerSetupTest.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/ManagedProfileSetupTest.java
similarity index 84%
rename from hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/ProfileOwnerSetupTest.java
rename to hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/ManagedProfileSetupTest.java
index 6fc0eb9..b95194e 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/ProfileOwnerSetupTest.java
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/ManagedProfileSetupTest.java
@@ -13,14 +13,14 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package com.android.cts.profileowner;
+package com.android.cts.managedprofile;
-public class ProfileOwnerSetupTest extends BaseProfileOwnerTest {
+public class ManagedProfileSetupTest extends BaseManagedProfileTest {
// This test verifies that the setUp assertions on the base class are working to verify
// we are the profile owner and have a valid active admin.
- public void testProfileOwnerSetup() {
+ public void testManagedProfileSetup() {
// Empty test. We just want the assertions from super.setUp() to be executed.
}
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/WipeDataTest.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/WipeDataTest.java
similarity index 93%
rename from hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/WipeDataTest.java
rename to hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/WipeDataTest.java
index 2213d3b..b548c96 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/src/com/android/cts/profileowner/WipeDataTest.java
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/WipeDataTest.java
@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package com.android.cts.profileowner;
+package com.android.cts.managedprofile;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
@@ -22,7 +22,7 @@
import android.os.UserHandle;
import android.os.UserManager;
-import com.android.cts.profileowner.BaseProfileOwnerTest.BasicAdminReceiver;
+import com.android.cts.managedprofile.BaseManagedProfileTest.BasicAdminReceiver;
import org.junit.Ignore;
@@ -30,7 +30,7 @@
* Test wipeData() for use in managed profile. If called from a managed profile, wipeData() should
* remove the current managed profile. Also, no erasing of external storage should be allowed.
*/
-public class WipeDataTest extends BaseProfileOwnerTest {
+public class WipeDataTest extends BaseManagedProfileTest {
private UserManager mUserManager;
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/AllUsersActivity.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/AllUsersActivity.java
new file mode 100644
index 0000000..7260acd
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/AllUsersActivity.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.managedprofile;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+/**
+ * Activity that lives in both primary user and its profile.
+ */
+public class AllUsersActivity extends Activity {
+ private static final String TAG = AllUsersActivity.class.getName();
+
+ public static final String ACTION =
+ "com.android.cts.managedprofile.ACTION_TEST_ALL_ACTIVITY";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.i(TAG, "Roger that!");
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileActivity.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileActivity.java
new file mode 100644
index 0000000..a91f633
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileActivity.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.managedprofile;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+/**
+ * Activity that lives in the managed profile.
+ */
+public class ManagedProfileActivity extends Activity {
+ private static final String TAG = ManagedProfileActivity.class.getName();
+
+ public static final String ACTION =
+ "com.android.cts.managedprofile.ACTION_TEST_MANAGED_ACTIVITY";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.i(TAG, "Roger that!");
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileTest.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileTest.java
new file mode 100644
index 0000000..0e3822b
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/ManagedProfileTest.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.managedprofile;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+
+/**
+ * Test for {@link DevicePolicyManager#addCrossProfileIntentFilter} API.
+ *
+ * Note that it expects that there is an activity responding to {@code PrimaryUserActivity.ACTION}
+ * in the primary profile, one to {@code ManagedProfileActivity.ACTION} in the secondary profile,
+ * and one to {@code AllUsersActivity.ACTION} in both profiles.
+ */
+public class ManagedProfileTest extends BaseManagedProfileTest {
+
+ private PackageManager mPackageManager;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mPackageManager = getContext().getPackageManager();
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDevicePolicyManager.clearCrossProfileIntentFilters(ADMIN_RECEIVER_COMPONENT);
+ super.tearDown();
+ }
+
+ public void testClearCrossProfileIntentFilters() {
+ IntentFilter testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(PrimaryUserActivity.ACTION);
+ mDevicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED);
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(PrimaryUserActivity.ACTION), /* flags = */ 0).size());
+
+ mDevicePolicyManager.clearCrossProfileIntentFilters(ADMIN_RECEIVER_COMPONENT);
+
+ assertTrue(mPackageManager.queryIntentActivities(
+ new Intent(PrimaryUserActivity.ACTION), /* flags = */ 0).isEmpty());
+ }
+
+ public void testAddCrossProfileIntentFilter_primary() {
+ assertEquals(0, mPackageManager.queryIntentActivities(
+ new Intent(PrimaryUserActivity.ACTION), /* flags = */ 0).size());
+
+ IntentFilter testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(PrimaryUserActivity.ACTION);
+ mDevicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED);
+
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(PrimaryUserActivity.ACTION), /* flags = */ 0).size());
+ }
+
+ public void testAddCrossProfileIntentFilter_all() {
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(AllUsersActivity.ACTION), /* flags = */ 0).size());
+
+ IntentFilter testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(AllUsersActivity.ACTION);
+ mDevicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED);
+
+ assertEquals(2, mPackageManager.queryIntentActivities(
+ new Intent(AllUsersActivity.ACTION), /* flags = */ 0).size());
+ }
+
+ public void testAddCrossProfileIntentFilter_managed() {
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(ManagedProfileActivity.ACTION), /* flags = */ 0).size());
+
+ IntentFilter testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(ManagedProfileActivity.ACTION);
+ mDevicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED);
+
+ // We should still be resolving in the profile
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(ManagedProfileActivity.ACTION), /* flags = */ 0).size());
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserActivity.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserActivity.java
new file mode 100644
index 0000000..f6fa172
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserActivity.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.managedprofile;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+/**
+ * Activity for that lives in the primary user.
+ */
+public class PrimaryUserActivity extends Activity {
+ private static final String TAG = PrimaryUserActivity.class.getName();
+
+ public static final String ACTION =
+ "com.android.cts.managedprofile.ACTION_TEST_PRIMARY_ACTIVITY";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.i(TAG, "Roger that!");
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserFilterSetterActivity.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserFilterSetterActivity.java
new file mode 100644
index 0000000..c00ced5
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserFilterSetterActivity.java
@@ -0,0 +1,43 @@
+package com.android.cts.managedprofile;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.Context;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+import android.util.Log;
+
+import static com.android.cts.managedprofile.BaseManagedProfileTest.ADMIN_RECEIVER_COMPONENT;
+
+/**
+ * Class that sets the cross-profile intent filters required to test intent filtering from
+ * the primary profile to the managed one.
+ */
+public class PrimaryUserFilterSetterActivity extends Activity {
+
+ public static final String TAG = PrimaryUserFilterSetterActivity.class.getName();
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ PackageManager packageManager = getPackageManager();
+ DevicePolicyManager devicePolicyManager = (DevicePolicyManager)
+ getSystemService(Context.DEVICE_POLICY_SERVICE);
+ IntentFilter testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(PrimaryUserActivity.ACTION);
+ devicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT);
+
+ testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(ManagedProfileActivity.ACTION);
+ devicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT);
+
+ testIntentFilter = new IntentFilter();
+ testIntentFilter.addAction(AllUsersActivity.ACTION);
+ devicePolicyManager.addCrossProfileIntentFilter(ADMIN_RECEIVER_COMPONENT,
+ testIntentFilter, DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT);
+ Log.i(TAG, "Roger that!");
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserTest.java b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserTest.java
new file mode 100644
index 0000000..af400a7
--- /dev/null
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/src/com/android/cts/managedprofile/crossprofileintentfilters/PrimaryUserTest.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.managedprofile;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.test.AndroidTestCase;
+
+/**
+ * Test for {@link DevicePolicyManager#addCrossProfileIntentFilter} API, for
+ * {@code DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT}.
+ *
+ * Note that it expects that there is an activity responding to {@code PrimaryUserActivity.ACTION}
+ * in the primary profile, one to {@code ManagedProfileActivity.ACTION} in the secondary profile,
+ * and one to {@code AllUsersActivity.ACTION} in both profiles.
+ *
+ * Note that the {code DevicePolicyManager#clearCrossProfileIntentFilters} as well as more complex
+ * test scenarios can be found in {@link ManagedProfileTest}.
+ */
+public class PrimaryUserTest extends AndroidTestCase {
+
+ private PackageManager mPackageManager;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mPackageManager = getContext().getPackageManager();
+ }
+
+ public void testAddCrossProfileIntentFilter_primary() {
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(PrimaryUserActivity.ACTION), /* flags = */ 0).size());
+ }
+
+ public void testAddCrossProfileIntentFilter_all() {
+ assertEquals(2, mPackageManager.queryIntentActivities(
+ new Intent(AllUsersActivity.ACTION), /* flags = */ 0).size());
+ }
+
+ public void testAddCrossProfileIntentFilter_managed() {
+ assertEquals(1, mPackageManager.queryIntentActivities(
+ new Intent(ManagedProfileActivity.ACTION), /* flags = */ 0).size());
+ }
+}
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/AndroidManifest.xml b/hostsidetests/devicepolicy/app/ProfileOwner/AndroidManifest.xml
deleted file mode 100644
index 1aaf99f..0000000
--- a/hostsidetests/devicepolicy/app/ProfileOwner/AndroidManifest.xml
+++ /dev/null
@@ -1,38 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2014 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="com.android.cts.profileowner">
-
- <uses-sdk android:minSdkVersion="20"/>
-
- <application>
- <uses-library android:name="android.test.runner" />
- <receiver
- android:name="com.android.cts.profileowner.BaseProfileOwnerTest$BasicAdminReceiver"
- android:permission="android.permission.BIND_DEVICE_ADMIN">
- <meta-data android:name="android.app.device_admin"
- android:resource="@xml/device_admin" />
- <intent-filter>
- <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
- </intent-filter>
- </receiver>
- </application>
-
- <instrumentation android:name="android.test.InstrumentationTestRunner"
- android:targetPackage="com.android.cts.profileowner"
- android:label="Profile Owner CTS Tests"/>
-</manifest>
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ProfileOwnerTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
similarity index 70%
rename from hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ProfileOwnerTest.java
rename to hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
index 6d51f9e..abd5a99 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ProfileOwnerTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
@@ -39,25 +39,20 @@
import javax.annotation.Nullable;
/**
- * Set of tests for Profile Owner use cases.
+ * Base class for device policy tests. It offers utility methods to run tests, set device or profile
+ * owner, etc.
*/
-public class ProfileOwnerTest extends DeviceTestCase implements IBuildReceiver {
+public class BaseDevicePolicyTest extends DeviceTestCase implements IBuildReceiver {
private static final String RUNNER = "android.test.InstrumentationTestRunner";
- private static final String PROFILE_OWNER_PKG = "com.android.cts.profileowner";
- private static final String PROFILE_OWNER_APK = "CtsProfileOwnerApp.apk";
-
- private static final String ADMIN_RECEIVER_TEST_CLASS =
- PROFILE_OWNER_PKG + ".BaseProfileOwnerTest$BasicAdminReceiver";
-
private static final String[] REQUIRED_DEVICE_FEATURES = new String[] {
"android.software.managed_users",
"android.software.device_admin" };
private CtsBuildHelper mCtsBuild;
- private int mUserId;
- private boolean mHasFeature;
+
+ protected boolean mHasFeature;
@Override
public void setBuild(IBuildInfo buildInfo) {
@@ -68,102 +63,38 @@
protected void setUp() throws Exception {
super.setUp();
assertNotNull(mCtsBuild); // ensure build has been set before test is run.
- mHasFeature = hasDeviceFeatures(REQUIRED_DEVICE_FEATURES);
-
- if (mHasFeature) {
- mUserId = createUser();
- installApp(PROFILE_OWNER_APK);
- setProfileOwner(PROFILE_OWNER_PKG + "/" + ADMIN_RECEIVER_TEST_CLASS);
- }
+ mHasFeature = getDevice().getApiLevel() >= 21 /* Build.VERSION_CODES.L */
+ && hasDeviceFeatures(REQUIRED_DEVICE_FEATURES);
}
- @Override
- protected void tearDown() throws Exception {
- if (mHasFeature) {
- // Remove the user that we created on setUp(), and the app that we installed.
- String removeUserCommand = "pm remove-user " + mUserId;
- CLog.logAndDisplay(LogLevel.INFO, "Output for command " + removeUserCommand + ": "
- + getDevice().executeShellCommand(removeUserCommand));
- getDevice().uninstallPackage(PROFILE_OWNER_PKG);
- }
-
- super.tearDown();
- }
-
- /**
- * wipData() test removes the managed profile, so it needs to separated from other tests.
- */
- public void testWipeData() throws Exception {
- if (!mHasFeature) {
- return;
- }
- assertTrue(listUsers().contains(mUserId));
- assertTrue(runDeviceTestsAsUser(PROFILE_OWNER_PKG, PROFILE_OWNER_PKG + ".WipeDataTest", mUserId));
- // Note: the managed profile is removed by this test, which will make removeUserCommand in
- // tearDown() to complain, but that should be OK since its result is not asserted.
- assertFalse(listUsers().contains(mUserId));
- }
-
- public void testProfileOwner() throws Exception {
- if (!mHasFeature) {
- return;
- }
- String[] testClassNames = {
- "ProfileOwnerSetupTest"
- };
- for (String className : testClassNames) {
- String testClass = PROFILE_OWNER_PKG + "." + className;
- assertTrue(runDeviceTestsAsUser(PROFILE_OWNER_PKG, testClass, mUserId));
- }
- }
-
- private boolean hasDeviceFeatures(String[] requiredFeatures)
- throws DeviceNotAvailableException {
- // TODO: Move this logic to ITestDevice.
- String command = "pm list features";
- String commandOutput = getDevice().executeShellCommand(command);
-
- // Extract the id of the new user.
- HashSet<String> availableFeatures = new HashSet<String>();
- for (String feature: commandOutput.split("\\s+")) {
- // Each line in the output of the command has the format "feature:{FEATURE_VALUE}".
- String[] tokens = feature.split(":");
- assertTrue(tokens.length > 1);
- assertEquals("feature", tokens[0]);
- availableFeatures.add(tokens[1]);
- }
-
- for (String requiredFeature : requiredFeatures) {
- if(!availableFeatures.contains(requiredFeature)) {
- CLog.logAndDisplay(LogLevel.INFO, "Device doesn't have required feature "
- + requiredFeature + ". Tests won't run.");
- return false;
- }
- }
- return true;
- }
-
- private void installApp(String fileName)
+ protected void installApp(String fileName)
throws FileNotFoundException, DeviceNotAvailableException {
String installResult = getDevice().installPackage(mCtsBuild.getTestApp(fileName), true);
assertNull(String.format("Failed to install %s, Reason: %s", fileName, installResult),
installResult);
}
- private int createUser() throws DeviceNotAvailableException {
- String command =
- "pm create-user --profileOf 0 --managed TestProfile_" + System.currentTimeMillis();
+ /** Initializes the user with the given id. This is required so that apps can run on it. */
+ protected void startUser(int userId) throws DeviceNotAvailableException {
+ String command = "am start-user " + userId;
String commandOutput = getDevice().executeShellCommand(command);
CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": " + commandOutput);
-
- // Extract the id of the new user.
- String[] tokens = commandOutput.split("\\s+");
- assertTrue(tokens.length > 0);
- assertEquals("Success:", tokens[0]);
- return Integer.parseInt(tokens[tokens.length-1]);
+ assertTrue(commandOutput.startsWith("Success:"));
}
- private ArrayList<Integer> listUsers() throws DeviceNotAvailableException {
+ protected int getMaxNumberOfUsersSupported() throws DeviceNotAvailableException {
+ // TODO: move this to ITestDevice once it supports users
+ String command = "pm get-max-users";
+ String commandOutput = getDevice().executeShellCommand(command);
+ try {
+ return Integer.parseInt(commandOutput.substring(commandOutput.lastIndexOf(" ")).trim());
+ } catch (NumberFormatException e) {
+ fail("Failed to parse result: " + commandOutput);
+ }
+ return 0;
+ }
+
+ protected ArrayList<Integer> listUsers() throws DeviceNotAvailableException {
String command = "pm list users";
String commandOutput = getDevice().executeShellCommand(command);
@@ -183,28 +114,28 @@
return users;
}
- private void setProfileOwner(String componentName) throws DeviceNotAvailableException {
- String command = "dpm set-profile-owner '" + componentName + "' " + mUserId;
- String commandOutput = getDevice().executeShellCommand(command);
- CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": " + commandOutput);
- assertTrue(commandOutput.startsWith("Success:"));
+ protected void removeUser(int userId) throws DeviceNotAvailableException {
+ String removeUserCommand = "pm remove-user " + userId;
+ CLog.logAndDisplay(LogLevel.INFO, "Output for command " + removeUserCommand + ": "
+ + getDevice().executeShellCommand(removeUserCommand));
}
/** Returns true if the specified tests passed. Tests are run as user owner. */
- private boolean runDeviceTests(String pkgName, @Nullable String testClassName)
+ protected boolean runDeviceTests(String pkgName, @Nullable String testClassName)
throws DeviceNotAvailableException {
return runDeviceTests(pkgName, testClassName, null /*testMethodName*/, null /*userId*/);
}
/** Returns true if the specified tests passed. Tests are run as given user. */
- private boolean runDeviceTestsAsUser(String pkgName, @Nullable String testClassName, int userId)
+ protected boolean runDeviceTestsAsUser(
+ String pkgName, @Nullable String testClassName, int userId)
throws DeviceNotAvailableException {
return runDeviceTests(pkgName, testClassName, null /*testMethodName*/, userId);
}
private boolean runDeviceTests(String pkgName, @Nullable String testClassName,
@Nullable String testMethodName, @Nullable Integer userId)
- throws DeviceNotAvailableException {
+ throws DeviceNotAvailableException {
TestRunResult runResult = (userId == null)
? doRunTests(pkgName, testClassName, testMethodName)
: doRunTestsAsUser(pkgName, testClassName, testMethodName, userId);
@@ -214,8 +145,8 @@
/** Helper method to run tests and return the listener that collected the results. */
private TestRunResult doRunTests(
- String pkgName, @Nullable String testClassName, @Nullable String testMethodName)
- throws DeviceNotAvailableException {
+ String pkgName, String testClassName,
+ String testMethodName) throws DeviceNotAvailableException {
RemoteAndroidTestRunner testRunner = new RemoteAndroidTestRunner(
pkgName, RUNNER, getDevice().getIDevice());
if (testClassName != null && testMethodName != null) {
@@ -263,4 +194,30 @@
}
}
}
+
+ private boolean hasDeviceFeatures(String[] requiredFeatures)
+ throws DeviceNotAvailableException {
+ // TODO: Move this logic to ITestDevice.
+ String command = "pm list features";
+ String commandOutput = getDevice().executeShellCommand(command);
+
+ // Extract the id of the new user.
+ HashSet<String> availableFeatures = new HashSet<String>();
+ for (String feature: commandOutput.split("\\s+")) {
+ // Each line in the output of the command has the format "feature:{FEATURE_VALUE}".
+ String[] tokens = feature.split(":");
+ assertTrue(tokens.length > 1);
+ assertEquals("feature", tokens[0]);
+ availableFeatures.add(tokens[1]);
+ }
+
+ for (String requiredFeature : requiredFeatures) {
+ if(!availableFeatures.contains(requiredFeature)) {
+ CLog.logAndDisplay(LogLevel.INFO, "Device doesn't have required feature "
+ + requiredFeature + ". Tests won't run.");
+ return false;
+ }
+ }
+ return true;
+ }
}
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerTest.java
new file mode 100644
index 0000000..39e2b95
--- /dev/null
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerTest.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.devicepolicy;
+
+import com.android.ddmlib.Log.LogLevel;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.log.LogUtil.CLog;
+
+/**
+ * Set of tests for Device Owner use cases.
+ */
+public class DeviceOwnerTest extends BaseDevicePolicyTest {
+
+ private static final String DEVICE_OWNER_PKG = "com.android.cts.deviceowner";
+ private static final String DEVICE_OWNER_APK = "CtsDeviceOwnerApp.apk";
+
+ private static final String ADMIN_RECEIVER_TEST_CLASS =
+ DEVICE_OWNER_PKG + ".BaseDeviceOwnerTest$BasicAdminReceiver";
+ private static final String CLEAR_DEVICE_OWNER_TEST_CLASS =
+ DEVICE_OWNER_PKG + ".ClearDeviceOwnerTest";
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ if (mHasFeature) {
+ installApp(DEVICE_OWNER_APK);
+ setDeviceOwner(DEVICE_OWNER_PKG + "/" + ADMIN_RECEIVER_TEST_CLASS);
+ }
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ if (mHasFeature) {
+ assertTrue("Failed to remove device owner.",
+ runDeviceTests(DEVICE_OWNER_PKG, CLEAR_DEVICE_OWNER_TEST_CLASS));
+ getDevice().uninstallPackage(DEVICE_OWNER_PKG);
+ }
+
+ super.tearDown();
+ }
+
+ public void testApplicationRestrictions() throws Exception {
+ executeDeviceOwnerTest("ApplicationRestrictionsTest");
+ }
+
+ public void testCaCertManagement() throws Exception {
+ executeDeviceOwnerTest("CaCertManagementTest");
+ }
+
+ public void testDeviceOwnerSetup() throws Exception {
+ executeDeviceOwnerTest("DeviceOwnerSetupTest");
+ }
+
+ public void testKeyManagement() throws Exception {
+ executeDeviceOwnerTest("KeyManagementTest");
+ }
+
+ public void testLockTask() throws Exception {
+ executeDeviceOwnerTest("LockTaskTest");
+ }
+
+ public void testPersistentIntentResolving() throws Exception {
+ executeDeviceOwnerTest("PersistentIntentResolvingTest");
+ }
+
+ public void testScreenCaptureDisabled() throws Exception {
+ executeDeviceOwnerTest("ScreenCaptureDisabledTest");
+ }
+
+ private void executeDeviceOwnerTest(String testClassName) throws Exception {
+ if (!mHasFeature) {
+ return;
+ }
+ String testClass = DEVICE_OWNER_PKG + "." + testClassName;
+ assertTrue(runDeviceTests(DEVICE_OWNER_PKG, testClass));
+ }
+
+ private void setDeviceOwner(String componentName) throws DeviceNotAvailableException {
+ String command = "dpm set-device-owner '" + componentName + "'";
+ String commandOutput = getDevice().executeShellCommand(command);
+ CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": " + commandOutput);
+ assertTrue(commandOutput.startsWith("Success:"));
+ }
+
+}
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java
new file mode 100644
index 0000000..85ffb4c
--- /dev/null
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.devicepolicy;
+
+import com.android.ddmlib.Log.LogLevel;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.log.LogUtil.CLog;
+
+/**
+ * Set of tests for Managed Profile use cases.
+ */
+public class ManagedProfileTest extends BaseDevicePolicyTest {
+
+ private static final String MANAGED_PROFILE_PKG = "com.android.cts.managedprofile";
+ private static final String MANAGED_PROFILE_APK = "CtsManagedProfileApp.apk";
+
+ private static final String ADMIN_RECEIVER_TEST_CLASS =
+ MANAGED_PROFILE_PKG + ".BaseManagedProfileTest$BasicAdminReceiver";
+
+ private int mUserId;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ // We need multi user to be supported in order to create a profile of the user owner.
+ mHasFeature = mHasFeature && (getMaxNumberOfUsersSupported() > 1);
+
+ if (mHasFeature) {
+ mUserId = createManagedProfile();
+ installApp(MANAGED_PROFILE_APK);
+ setProfileOwner(MANAGED_PROFILE_PKG + "/" + ADMIN_RECEIVER_TEST_CLASS, mUserId);
+ startUser(mUserId);
+ }
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ if (mHasFeature) {
+ removeUser(mUserId);
+ getDevice().uninstallPackage(MANAGED_PROFILE_PKG);
+ }
+
+ super.tearDown();
+ }
+
+ public void testManagedProfileSetup() throws Exception {
+ if (!mHasFeature) {
+ return;
+ }
+ assertTrue(runDeviceTestsAsUser(
+ MANAGED_PROFILE_PKG, MANAGED_PROFILE_PKG + ".ManagedProfileSetupTest", mUserId));
+ }
+
+ /**
+ * wipeData() test removes the managed profile, so it needs to separated from other tests.
+ */
+ public void testWipeData() throws Exception {
+ if (!mHasFeature) {
+ return;
+ }
+ assertTrue(listUsers().contains(mUserId));
+ assertTrue(runDeviceTestsAsUser(
+ MANAGED_PROFILE_PKG, MANAGED_PROFILE_PKG + ".WipeDataTest", mUserId));
+ // Note: the managed profile is removed by this test, which will make removeUserCommand in
+ // tearDown() to complain, but that should be OK since its result is not asserted.
+ assertFalse(listUsers().contains(mUserId));
+ }
+
+// TODO: Reinstate once we find another way of disabling an activity for a user (adb pm disable does
+// not work at the moment on non-eng builds.
+// public void testCrossProfileIntentFilters() throws Exception {
+// if (!mHasFeature) {
+// return;
+// }
+// // Set up activities: ManagedProfileActivity will only be enabled in the managed profile and
+// // PrimaryUserActivity only in the primary one
+// disableActivityForUser("ManagedProfileActivity", 0);
+// disableActivityForUser("PrimaryUserActivity", mUserId);
+//
+// assertTrue(runDeviceTestsAsUser(MANAGED_PROFILE_PKG,
+// MANAGED_PROFILE_PKG + ".ManagedProfileTest", mUserId));
+//
+// // Set up filters from primary to managed profile
+// String command = "am start -W --user " + mUserId + " " + MANAGED_PROFILE_PKG
+// + "/.PrimaryUserFilterSetterActivity";
+// CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": "
+// + getDevice().executeShellCommand(command));
+// assertTrue(runDeviceTests(MANAGED_PROFILE_PKG, MANAGED_PROFILE_PKG + ".PrimaryUserTest"));
+// // TODO: Test with startActivity
+// // TODO: Test with CtsVerifier for disambiguation cases
+// }
+
+ private void disableActivityForUser(String activityName, int userId)
+ throws DeviceNotAvailableException {
+ String command = "pm disable --user " + userId + " " + MANAGED_PROFILE_PKG + "/."
+ + activityName;
+ CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": "
+ + getDevice().executeShellCommand(command));
+ }
+
+ private int createManagedProfile() throws DeviceNotAvailableException {
+ String command =
+ "pm create-user --profileOf 0 --managed TestProfile_" + System.currentTimeMillis();
+ String commandOutput = getDevice().executeShellCommand(command);
+ CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": " + commandOutput);
+
+ // Extract the id of the new user.
+ String[] tokens = commandOutput.split("\\s+");
+ assertTrue(tokens.length > 0);
+ assertEquals("Success:", tokens[0]);
+ return Integer.parseInt(tokens[tokens.length-1]);
+ }
+
+ private void setProfileOwner(String componentName, int userId)
+ throws DeviceNotAvailableException {
+ String command = "dpm set-profile-owner '" + componentName + "' " + userId;
+ String commandOutput = getDevice().executeShellCommand(command);
+ CLog.logAndDisplay(LogLevel.INFO, "Output for command " + command + ": " + commandOutput);
+ assertTrue(commandOutput.startsWith("Success:"));
+ }
+}
diff --git a/suite/cts/hostTests/uihost/src/com/android/cts/uihost/TaskSwitchingTest.java b/suite/cts/hostTests/uihost/src/com/android/cts/uihost/TaskSwitchingTest.java
index 100f448..894b824 100644
--- a/suite/cts/hostTests/uihost/src/com/android/cts/uihost/TaskSwitchingTest.java
+++ b/suite/cts/hostTests/uihost/src/com/android/cts/uihost/TaskSwitchingTest.java
@@ -115,7 +115,7 @@
@Override
public void testEnded(TestIdentifier test, Map<String, String> testMetrics) {
// necessary as testMetrics passed from CollectingTestListerner is empty
- mCtsReport = testMetrics.get("CTS_TEST_REPORT");
+ mCtsReport = testMetrics.get("CTS_TEST_RESULT");
super.testEnded(test, testMetrics);
}
}
diff --git a/tests/SignatureTest/src/android/tests/sigtest/SignatureTestLog.java b/tests/SignatureTest/src/android/tests/sigtest/SignatureTestLog.java
deleted file mode 100644
index 7cd9663..0000000
--- a/tests/SignatureTest/src/android/tests/sigtest/SignatureTestLog.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.tests.sigtest;
-
-import android.util.Log;
-
-public class SignatureTestLog {
- private static final String TAG = "CTSSignatureTest";
-
- public static void e(String msg, Exception e) {
- Log.e(TAG, msg, e);
- }
-
- public static void d(String msg) {
- Log.d(TAG, msg);
- }
-}
diff --git a/tests/SignatureTest/tests/Android.mk b/tests/SignatureTest/tests/Android.mk
deleted file mode 100644
index 0796670..0000000
--- a/tests/SignatureTest/tests/Android.mk
+++ /dev/null
@@ -1,24 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-include $(CLEAR_VARS)
-
-# don't include this package in any target
-LOCAL_MODULE_TAGS := optional
-# and when built explicitly put it in the data partition
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
-# Include all test java files.
-LOCAL_SRC_FILES := $(call all-java-files-under, src)
-
-LOCAL_PACKAGE_NAME := SignatureTestTests
-
-LOCAL_INSTRUMENTATION_FOR := SignatureTest
-
-LOCAL_PROGUARD_FLAGS := -ignorewarnings
-
-LOCAL_DEX_PREOPT := false
-
-LOCAL_SDK_VERSION := current
-
-LOCAL_STATIC_JAVA_LIBRARIES := android-support-test
-
-include $(BUILD_PACKAGE)
diff --git a/tests/SignatureTest/tests/AndroidManifest.xml b/tests/SignatureTest/tests/AndroidManifest.xml
deleted file mode 100644
index 49b3827..0000000
--- a/tests/SignatureTest/tests/AndroidManifest.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2009 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.tests.sigtest.tests">
-
- <application>
- <uses-library android:name="android.test.runner"/>
- </application>
-
- <instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
- android:targetPackage="android.tests.sigtest"
- android:label="SignatureTest Functional Testset"/>
-
-</manifest>
diff --git a/tests/core/ctscore.mk b/tests/core/ctscore.mk
index 95f4634..fea0b07 100644
--- a/tests/core/ctscore.mk
+++ b/tests/core/ctscore.mk
@@ -25,4 +25,8 @@
LOCAL_JNI_SHARED_LIBRARIES := libjavacoretests
+# Include both the 32 and 64 bit versions of libjavacoretests,
+# where applicable.
+LOCAL_MULTILIB := both
+
include $(BUILD_PACKAGE)
diff --git a/tests/expectations/knownfailures.txt b/tests/expectations/knownfailures.txt
index fcf153c..5ce84f7 100644
--- a/tests/expectations/knownfailures.txt
+++ b/tests/expectations/knownfailures.txt
@@ -40,9 +40,12 @@
"android.webgl.cts.WebGLTest#test_conformance_textures_tex_image_and_sub_image_2d_with_video_rgba4444_html",
"android.webgl.cts.WebGLTest#test_conformance_textures_tex_image_and_sub_image_2d_with_video_rgba5551_html",
"android.webgl.cts.WebGLTest#test_conformance_textures_texture_npot_html",
- "android.webgl.cts.WebGLTest#test_conformance_textures_texture_npot_video_html"
+ "android.webgl.cts.WebGLTest#test_conformance_textures_texture_npot_video_html",
+ "android.webgl.cts.WebGLTest#test_conformance_glsl_misc_empty_main_vert_html",
+ "android.webgl.cts.WebGLTest#test_conformance_glsl_misc_gl_position_unset_vert_html",
+ "android.webgl.cts.WebGLTest#test_conformance_misc_webgl_specific_html"
],
- bug: 14639928
+ bug: 17748398
},
{
description: "permissions for the API previously used in the test has changed, making it impossible to pass",
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk b/tests/signature-tests/Android.mk
similarity index 69%
copy from hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
copy to tests/signature-tests/Android.mk
index baf540b..f17ee47 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
+++ b/tests/signature-tests/Android.mk
@@ -1,4 +1,4 @@
-# Copyright (C) 2014 The Android Open Source Project
+# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,20 +12,15 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-LOCAL_PATH:= $(call my-dir)
+LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_PACKAGE_NAME := CtsProfileOwnerApp
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
+# Include all test java files.
LOCAL_SRC_FILES := $(call all-java-files-under, src)
-LOCAL_JAVA_LIBRARIES := android.test.runner cts-junit
+LOCAL_MODULE := signature-tests
+LOCAL_MODULE_TAGS := optional
+LOCAL_JAVA_LIBRARIES := tradefed-prebuilt cts-tradefed signature-hostside
-LOCAL_SDK_VERSION := current
-
-include $(BUILD_CTS_PACKAGE)
+include $(BUILD_HOST_JAVA_LIBRARY)
diff --git a/tests/signature-tests/run_unit_tests.sh b/tests/signature-tests/run_unit_tests.sh
new file mode 100755
index 0000000..19ce8d2
--- /dev/null
+++ b/tests/signature-tests/run_unit_tests.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Copyright (C) 2014 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# helper script for running the signature unit tests
+
+checkFile() {
+ if [ ! -f "$1" ]; then
+ echo "Unable to locate $1"
+ exit
+ fi;
+}
+
+# check if in Android build env
+if [ ! -z ${ANDROID_BUILD_TOP} ]; then
+ HOST=`uname`
+ if [ "$HOST" == "Linux" ]; then
+ OS="linux-x86"
+ elif [ "$HOST" == "Darwin" ]; then
+ OS="darwin-x86"
+ else
+ echo "Unrecognized OS"
+ exit
+ fi;
+fi;
+
+JAR_DIR=${ANDROID_BUILD_TOP}/out/host/$OS/framework
+JARS="tradefed-prebuilt.jar hosttestlib.jar signature-hostside.jar signature-tests.jar"
+
+for JAR in $JARS; do
+ checkFile ${JAR_DIR}/${JAR}
+ JAR_PATH=${JAR_PATH}:${JAR_DIR}/${JAR}
+done
+
+java $RDBG_FLAG \
+ -cp ${JAR_PATH} com.android.tradefed.command.Console run singleCommand host -n --class android.signature.cts.tests.AllTests "$@"
+
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/AllTests.java b/tests/signature-tests/src/android/signature/cts/tests/AllTests.java
similarity index 70%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/AllTests.java
rename to tests/signature-tests/src/android/signature/cts/tests/AllTests.java
index 096cb02..56916f4 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/AllTests.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/AllTests.java
@@ -14,18 +14,23 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests;
+package android.signature.cts.tests;
-import android.test.TestSuiteProvider;
-import android.test.suitebuilder.TestSuiteBuilder;
-
+import junit.framework.Test;
import junit.framework.TestSuite;
/**
* Finds all instrumentation and unit tests for this application.
*/
-public class AllTests implements TestSuiteProvider {
- public TestSuite getTestSuite() {
- return new TestSuiteBuilder(getClass()).includeAllPackagesUnderHere().build();
+public class AllTests extends TestSuite {
+
+ public AllTests() {
+ super();
+
+ addTestSuite(JDiffClassDescriptionTest.class);
+ }
+
+ public static Test suite() {
+ return new AllTests();
}
}
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/JDiffClassDescriptionTest.java b/tests/signature-tests/src/android/signature/cts/tests/JDiffClassDescriptionTest.java
similarity index 61%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/JDiffClassDescriptionTest.java
rename to tests/signature-tests/src/android/signature/cts/tests/JDiffClassDescriptionTest.java
index b5bf49e..ffb81ce 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/JDiffClassDescriptionTest.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/JDiffClassDescriptionTest.java
@@ -14,48 +14,53 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests;
+package android.signature.cts.tests;
-import android.test.InstrumentationTestCase;
-import android.tests.sigtest.JDiffClassDescription;
-import android.tests.sigtest.ResultObserver;
-import android.tests.sigtest.SignatureTest.FAILURE_TYPE;
+import android.signature.cts.FailureType;
+import android.signature.cts.JDiffClassDescription;
+import android.signature.cts.ResultObserver;
+
+import junit.framework.Assert;
+import junit.framework.TestCase;
import java.lang.reflect.Modifier;
/**
* Test class for JDiffClassDescription.
*/
-public class JDiffClassDescriptionTest extends InstrumentationTestCase {
+public class JDiffClassDescriptionTest extends TestCase {
+
private class NoFailures implements ResultObserver {
- public void notifyFailure(FAILURE_TYPE type, String name, String errmsg) {
- JDiffClassDescriptionTest.this.fail("Saw unexpected test failure: " + name + " failure type: " + type);
+ @Override
+ public void notifyFailure(FailureType type, String name, String errmsg) {
+ Assert.fail("Saw unexpected test failure: " + name + " failure type: " + type);
}
}
private class ExpectFailure implements ResultObserver {
- private FAILURE_TYPE expectedType;
+ private FailureType expectedType;
private boolean failureSeen;
- public ExpectFailure(FAILURE_TYPE expectedType) {
+ public ExpectFailure(FailureType expectedType) {
this.expectedType = expectedType;
}
- public void notifyFailure(FAILURE_TYPE type, String name, String errMsg) {
+ @Override
+ public void notifyFailure(FailureType type, String name, String errMsg) {
if (type == expectedType) {
if (failureSeen) {
- JDiffClassDescriptionTest.this.fail("Saw second test failure: " + name + " failure type: " + type);
+ Assert.fail("Saw second test failure: " + name + " failure type: " + type);
} else {
// We've seen the error, mark it and keep going
failureSeen = true;
}
} else {
- JDiffClassDescriptionTest.this.fail("Saw unexpected test failure: " + name + " failure type: " + type);
+ Assert.fail("Saw unexpected test failure: " + name + " failure type: " + type);
}
}
-
+
public void validate() {
- JDiffClassDescriptionTest.this.assertTrue(failureSeen);
+ Assert.assertTrue(failureSeen);
}
}
@@ -74,24 +79,23 @@
* @return the new JDiffClassDescription
*/
private JDiffClassDescription createNormalClass(ResultObserver observer) {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalClass", observer);
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass", observer);
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC);
return clz;
- }
+ }
public void testNormalClassCompliance() {
JDiffClassDescription clz = createNormalClass();
clz.checkSignatureCompliance();
- assertEquals(clz.toSignatureString(),
- "public class NormalClass");
+ assertEquals(clz.toSignatureString(), "public class NormalClass");
}
public void testMissingClass() {
- ExpectFailure observer = new ExpectFailure(FAILURE_TYPE.MISSING_CLASS);
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data",
- "NoSuchClass",
- observer);
+ ExpectFailure observer = new ExpectFailure(FailureType.MISSING_CLASS);
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NoSuchClass", observer);
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.checkSignatureCompliance();
observer.validate();
@@ -99,88 +103,110 @@
public void testSimpleConstructor() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffConstructor constructor = new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PUBLIC);
+ JDiffClassDescription.JDiffConstructor constructor =
+ new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PUBLIC);
clz.addConstructor(constructor);
clz.checkSignatureCompliance();
assertEquals(constructor.toSignatureString(), "public NormalClass()");
}
+
public void testOneArgConstructor() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffConstructor constructor = new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PRIVATE);
+ JDiffClassDescription.JDiffConstructor constructor =
+ new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PRIVATE);
constructor.addParam("java.lang.String");
clz.addConstructor(constructor);
clz.checkSignatureCompliance();
assertEquals(constructor.toSignatureString(), "private NormalClass(java.lang.String)");
}
+
public void testConstructorThrowsException() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffConstructor constructor = new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PROTECTED);
+ JDiffClassDescription.JDiffConstructor constructor =
+ new JDiffClassDescription.JDiffConstructor("NormalClass", Modifier.PROTECTED);
constructor.addParam("java.lang.String");
constructor.addParam("java.lang.String");
- constructor.addException("android.tests.sigtest.tests.data.NormalException");
+ constructor.addException("android.signature.cts.tests.data.NormalException");
clz.addConstructor(constructor);
clz.checkSignatureCompliance();
- assertEquals(constructor.toSignatureString(), "protected NormalClass(java.lang.String, " +
- "java.lang.String) throws android.tests.sigtest.tests.data.NormalException");
+ assertEquals(constructor.toSignatureString(),
+ "protected NormalClass(java.lang.String, java.lang.String) " +
+ "throws android.signature.cts.tests.data.NormalException");
}
+
public void testPackageProtectedConstructor() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffConstructor constructor = new JDiffClassDescription.JDiffConstructor("NormalClass", 0);
+ JDiffClassDescription.JDiffConstructor constructor =
+ new JDiffClassDescription.JDiffConstructor("NormalClass", 0);
constructor.addParam("java.lang.String");
constructor.addParam("java.lang.String");
constructor.addParam("java.lang.String");
clz.addConstructor(constructor);
clz.checkSignatureCompliance();
- assertEquals(constructor.toSignatureString(), "NormalClass(java.lang.String, java.lang.String, java.lang.String)");
+ assertEquals(constructor.toSignatureString(),
+ "NormalClass(java.lang.String, java.lang.String, java.lang.String)");
}
public void testStaticMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("staticMethod", Modifier.STATIC | Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "staticMethod", Modifier.STATIC | Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "public static void staticMethod()");
}
+
public void testSyncMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("syncMethod", Modifier.SYNCHRONIZED | Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "syncMethod", Modifier.SYNCHRONIZED | Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "public synchronized void syncMethod()");
}
+
public void testPackageProtectMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("packageProtectedMethod", 0, "boolean");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "packageProtectedMethod", 0, "boolean");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "boolean packageProtectedMethod()");
}
+
public void testPrivateMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("privateMethod", Modifier.PRIVATE, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "privateMethod", Modifier.PRIVATE, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "private void privateMethod()");
}
+
public void testProtectedMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("protectedMethod", Modifier.PROTECTED, "java.lang.String");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "protectedMethod", Modifier.PROTECTED, "java.lang.String");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "protected java.lang.String protectedMethod()");
}
+
public void testThrowsMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("throwsMethod", Modifier.PUBLIC, "void");
- method.addException("android.tests.sigtest.tests.data.NormalException");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "throwsMethod", Modifier.PUBLIC, "void");
+ method.addException("android.signature.cts.tests.data.NormalException");
clz.addMethod(method);
clz.checkSignatureCompliance();
- assertEquals(method.toSignatureString(), "public void throwsMethod() throws" +
- " android.tests.sigtest.tests.data.NormalException");
+ assertEquals(method.toSignatureString(), "public void throwsMethod() " +
+ "throws android.signature.cts.tests.data.NormalException");
}
+
public void testNativeMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("nativeMethod", Modifier.PUBLIC | Modifier.NATIVE, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "nativeMethod", Modifier.PUBLIC | Modifier.NATIVE, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "public native void nativeMethod()");
@@ -188,207 +214,259 @@
public void testFinalField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("FINAL_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.FINAL);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "FINAL_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.FINAL);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "public final java.lang.String FINAL_FIELD");
}
+
public void testStaticField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("STATIC_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.STATIC);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "STATIC_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.STATIC);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "public static java.lang.String STATIC_FIELD");
}
+
public void testVolatileFiled() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("VOLATILE_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.VOLATILE);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "VOLATILE_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.VOLATILE);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "public volatile java.lang.String VOLATILE_FIELD");
}
+
public void testTransientField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("TRANSIENT_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.TRANSIENT);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "TRANSIENT_FIELD", "java.lang.String", Modifier.PUBLIC | Modifier.TRANSIENT);
clz.addField(field);
clz.checkSignatureCompliance();
- assertEquals(field.toSignatureString(), "public transient java.lang.String TRANSIENT_FIELD");
+ assertEquals(field.toSignatureString(),
+ "public transient java.lang.String TRANSIENT_FIELD");
}
+
public void testPacakgeField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("PACAKGE_FIELD", "java.lang.String", 0);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "PACAKGE_FIELD", "java.lang.String", 0);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "java.lang.String PACAKGE_FIELD");
}
+
public void testPrivateField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("PRIVATE_FIELD", "java.lang.String", Modifier.PRIVATE);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "PRIVATE_FIELD", "java.lang.String", Modifier.PRIVATE);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "private java.lang.String PRIVATE_FIELD");
}
+
public void testProtectedField() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("PROTECTED_FIELD", "java.lang.String", Modifier.PROTECTED);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "PROTECTED_FIELD", "java.lang.String", Modifier.PROTECTED);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(field.toSignatureString(), "protected java.lang.String PROTECTED_FIELD");
}
public void testInnerClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalClass.InnerClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass.InnerClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC);
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("innerClassData", "java.lang.String", Modifier.PRIVATE);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "innerClassData", "java.lang.String", Modifier.PRIVATE);
clz.addField(field);
clz.checkSignatureCompliance();
assertEquals(clz.toSignatureString(), "public class NormalClass.InnerClass");
}
+
public void testInnerInnerClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalClass.InnerClass.InnerInnerClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass.InnerClass.InnerInnerClass",
+ new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC);
- JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField("innerInnerClassData", "java.lang.String", Modifier.PRIVATE);
+ JDiffClassDescription.JDiffField field = new JDiffClassDescription.JDiffField(
+ "innerInnerClassData", "java.lang.String", Modifier.PRIVATE);
clz.addField(field);
clz.checkSignatureCompliance();
- assertEquals(clz.toSignatureString(), "public class NormalClass.InnerClass.InnerInnerClass");
+ assertEquals(clz.toSignatureString(),
+ "public class NormalClass.InnerClass.InnerInnerClass");
}
+
public void testInnerInterface() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalClass.InnerInterface", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass.InnerInterface", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.INTERFACE);
clz.setModifier(Modifier.PUBLIC | Modifier.STATIC | Modifier.ABSTRACT);
- clz.addMethod(new JDiffClassDescription.JDiffMethod("doSomething", Modifier.PUBLIC, "void"));
+ clz.addMethod(
+ new JDiffClassDescription.JDiffMethod("doSomething", Modifier.PUBLIC, "void"));
clz.checkSignatureCompliance();
assertEquals(clz.toSignatureString(), "public interface NormalClass.InnerInterface");
}
+
public void testInterface() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalInterface", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalInterface", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.INTERFACE);
clz.setModifier(Modifier.PUBLIC | Modifier.ABSTRACT);
- clz.addMethod(new JDiffClassDescription.JDiffMethod("doSomething", Modifier.PUBLIC, "void"));
+ clz.addMethod(
+ new JDiffClassDescription.JDiffMethod("doSomething", Modifier.PUBLIC, "void"));
clz.checkSignatureCompliance();
assertEquals(clz.toSignatureString(), "public interface NormalInterface");
}
+
public void testFinalClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "FinalClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "FinalClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC | Modifier.FINAL);
clz.checkSignatureCompliance();
assertEquals(clz.toSignatureString(), "public final class FinalClass");
}
- /** Test the case where the API declares the method not
- * synchronized, but it actually is. */
+
+ /**
+ * Test the case where the API declares the method not synchronized, but it
+ * actually is.
+ */
public void testAddingSync() {
- ExpectFailure observer = new ExpectFailure(FAILURE_TYPE.MISMATCH_METHOD);
+ ExpectFailure observer = new ExpectFailure(FailureType.MISMATCH_METHOD);
JDiffClassDescription clz = createNormalClass(observer);
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("syncMethod", Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "syncMethod", Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
observer.validate();
}
- /** Test the case where the API declares the method is
- * synchronized, but it actually is not. */
+
+ /**
+ * Test the case where the API declares the method is synchronized, but it
+ * actually is not.
+ */
public void testRemovingSync() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("notSyncMethod", Modifier.SYNCHRONIZED | Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "notSyncMethod", Modifier.SYNCHRONIZED | Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
}
- /** API says method is not native, but it actually is.
- * http://b/1839558
+
+ /**
+ * API says method is not native, but it actually is. http://b/1839558
*/
public void testAddingNative() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("nativeMethod", Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "nativeMethod", Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
}
- /** API says method is native, but actually isn't.
- * http://b/1839558
+
+ /**
+ * API says method is native, but actually isn't. http://b/1839558
*/
public void testRemovingNative() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("notNativeMethod", Modifier.NATIVE | Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "notNativeMethod", Modifier.NATIVE | Modifier.PUBLIC, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
}
+
public void testAbstractClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "AbstractClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "AbstractClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC | Modifier.ABSTRACT);
clz.checkSignatureCompliance();
assertEquals(clz.toSignatureString(), "public abstract class AbstractClass");
}
- /** API lists class as abstract, reflection does not.
- * http://b/1839622
+
+ /**
+ * API lists class as abstract, reflection does not. http://b/1839622
*/
public void testRemovingAbstractFromAClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "NormalClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC | Modifier.ABSTRACT);
clz.checkSignatureCompliance();
}
- /** reflection lists class as abstract, api does not.
- * http://b/1839622
+
+ /**
+ * reflection lists class as abstract, api does not. http://b/1839622
*/
public void testAddingAbstractToAClass() {
- ExpectFailure observer = new ExpectFailure(FAILURE_TYPE.MISMATCH_CLASS);
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data",
- "AbstractClass",
- observer);
+ ExpectFailure observer = new ExpectFailure(FailureType.MISMATCH_CLASS);
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "AbstractClass", observer);
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC);
clz.checkSignatureCompliance();
observer.validate();
}
+
public void testFinalMethod() {
JDiffClassDescription clz = createNormalClass();
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("finalMethod", Modifier.PUBLIC | Modifier.FINAL, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "finalMethod", Modifier.PUBLIC | Modifier.FINAL, "void");
clz.addMethod(method);
clz.checkSignatureCompliance();
assertEquals(method.toSignatureString(), "public final void finalMethod()");
}
+
/**
* Final Class, API lists methods as non-final, reflection has it as final.
* http://b/1839589
*/
public void testAddingFinalToAMethodInAFinalClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "FinalClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "FinalClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC | Modifier.FINAL);
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("finalMethod", Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "finalMethod", Modifier.PUBLIC, "void");
clz.addMethod(method);
- clz.checkSignatureCompliance();
+ clz.checkSignatureCompliance();
}
+
/**
* Final Class, API lists methods as final, reflection has it as non-final.
* http://b/1839589
*/
public void testRemovingFinalToAMethodInAFinalClass() {
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data", "FinalClass", new NoFailures());
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "FinalClass", new NoFailures());
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC | Modifier.FINAL);
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("nonFinalMethod",
- Modifier.PUBLIC | Modifier.FINAL,
- "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "nonFinalMethod", Modifier.PUBLIC | Modifier.FINAL, "void");
clz.addMethod(method);
- clz.checkSignatureCompliance();
+ clz.checkSignatureCompliance();
}
+
/**
- * non-final Class, API lists methods as non-final, reflection has it as final.
- * http://b/1839589
- */
+ * non-final Class, API lists methods as non-final, reflection has it as
+ * final. http://b/1839589
+ */
public void testAddingFinalToAMethodInANonFinalClass() {
- ExpectFailure observer = new ExpectFailure(FAILURE_TYPE.MISMATCH_METHOD);
- JDiffClassDescription clz = new JDiffClassDescription("android.tests.sigtest.tests.data",
- "NormalClass",
- observer);
+ ExpectFailure observer = new ExpectFailure(FailureType.MISMATCH_METHOD);
+ JDiffClassDescription clz = new JDiffClassDescription(
+ "android.signature.cts.tests.data", "NormalClass", observer);
clz.setType(JDiffClassDescription.JDiffType.CLASS);
clz.setModifier(Modifier.PUBLIC);
- JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod("finalMethod", Modifier.PUBLIC, "void");
+ JDiffClassDescription.JDiffMethod method = new JDiffClassDescription.JDiffMethod(
+ "finalMethod", Modifier.PUBLIC, "void");
clz.addMethod(method);
- clz.checkSignatureCompliance();
+ clz.checkSignatureCompliance();
observer.validate();
}
}
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java b/tests/signature-tests/src/android/signature/cts/tests/data/AbstractClass.java
similarity index 94%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java
rename to tests/signature-tests/src/android/signature/cts/tests/data/AbstractClass.java
index d24d691..527e7eb 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/AbstractClass.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/data/AbstractClass.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package android.signature.cts.tests.data;
/**
* This class is used as reference data for the JDiffClassDescriptionTest tests.
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/FinalClass.java b/tests/signature-tests/src/android/signature/cts/tests/data/FinalClass.java
similarity index 95%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/FinalClass.java
rename to tests/signature-tests/src/android/signature/cts/tests/data/FinalClass.java
index 4c871f0..395e166 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/FinalClass.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/data/FinalClass.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package android.signature.cts.tests.data;
/**
* This class is used as reference data for the
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalClass.java b/tests/signature-tests/src/android/signature/cts/tests/data/NormalClass.java
similarity index 97%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalClass.java
rename to tests/signature-tests/src/android/signature/cts/tests/data/NormalClass.java
index 9cd54ab..5acd696 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalClass.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/data/NormalClass.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package android.signature.cts.tests.data;
/**
* This class is used as reference data for the
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalException.java b/tests/signature-tests/src/android/signature/cts/tests/data/NormalException.java
similarity index 94%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalException.java
rename to tests/signature-tests/src/android/signature/cts/tests/data/NormalException.java
index cc3d725..b2dd52d 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalException.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/data/NormalException.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package android.signature.cts.tests.data;
import java.lang.Exception;
diff --git a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalInterface.java b/tests/signature-tests/src/android/signature/cts/tests/data/NormalInterface.java
similarity index 95%
rename from tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalInterface.java
rename to tests/signature-tests/src/android/signature/cts/tests/data/NormalInterface.java
index 3200b76..899f4cc 100644
--- a/tests/SignatureTest/tests/src/android/tests/sigtest/tests/data/NormalInterface.java
+++ b/tests/signature-tests/src/android/signature/cts/tests/data/NormalInterface.java
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest.tests.data;
+package android.signature.cts.tests.data;
/**
* This class is used as reference data for the
diff --git a/tests/SignatureTest/Android.mk b/tests/signature/Android.mk
similarity index 84%
rename from tests/SignatureTest/Android.mk
rename to tests/signature/Android.mk
index fc794e8..53ba50d 100644
--- a/tests/SignatureTest/Android.mk
+++ b/tests/signature/Android.mk
@@ -20,11 +20,11 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src)
-LOCAL_PACKAGE_NAME := SignatureTest
+LOCAL_PACKAGE_NAME := CtsSignatureTestCases
LOCAL_SDK_VERSION := current
-LOCAL_STATIC_JAVA_LIBRARIES := android-support-test
+LOCAL_STATIC_JAVA_LIBRARIES := ctstestrunner
# To be passed in on command line
CTS_API_VERSION ?= current
@@ -84,5 +84,18 @@
android_api_description :=
CTS_API_VERSION :=
-# Use the following include to make our test apk.
-include $(call all-makefiles-under,$(LOCAL_PATH))
+# signature-hostside java library (for testing)
+# ============================================================
+
+include $(CLEAR_VARS)
+
+# These files are for device-side only, so filter-out for host library
+LOCAL_DEVICE_ONLY_SOURCES := %/SignatureTest.java
+
+LOCAL_SRC_FILES := $(filter-out $(LOCAL_DEVICE_ONLY_SOURCES), $(call all-java-files-under, src))
+
+LOCAL_MODULE := signature-hostside
+
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_HOST_JAVA_LIBRARY)
\ No newline at end of file
diff --git a/tests/SignatureTest/AndroidManifest.xml b/tests/signature/AndroidManifest.xml
similarity index 90%
rename from tests/SignatureTest/AndroidManifest.xml
rename to tests/signature/AndroidManifest.xml
index 89d8590..e42302e 100644
--- a/tests/SignatureTest/AndroidManifest.xml
+++ b/tests/signature/AndroidManifest.xml
@@ -16,7 +16,7 @@
-->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.tests.sigtest">
+ package="android.signature">
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<application>
@@ -24,7 +24,7 @@
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
- android:targetPackage="android.tests.sigtest"
+ android:targetPackage="android.signature"
android:label="API Signature Test"/>
</manifest>
\ No newline at end of file
diff --git a/tests/SignatureTest/res/raw/excludepackages.txt b/tests/signature/res/raw/excludepackages.txt
similarity index 100%
rename from tests/SignatureTest/res/raw/excludepackages.txt
rename to tests/signature/res/raw/excludepackages.txt
diff --git a/tests/signature/src/android/signature/cts/FailureType.java b/tests/signature/src/android/signature/cts/FailureType.java
new file mode 100644
index 0000000..5aaebc4
--- /dev/null
+++ b/tests/signature/src/android/signature/cts/FailureType.java
@@ -0,0 +1,16 @@
+package android.signature.cts;
+
+/**
+ * Define the type of the signature check failures.
+ */
+public enum FailureType {
+ MISSING_CLASS,
+ MISSING_INTERFACE,
+ MISSING_METHOD,
+ MISSING_FIELD,
+ MISMATCH_CLASS,
+ MISMATCH_INTERFACE,
+ MISMATCH_METHOD,
+ MISMATCH_FIELD,
+ CAUGHT_EXCEPTION,
+}
diff --git a/tests/SignatureTest/src/android/tests/sigtest/JDiffClassDescription.java b/tests/signature/src/android/signature/cts/JDiffClassDescription.java
similarity index 94%
rename from tests/SignatureTest/src/android/tests/sigtest/JDiffClassDescription.java
rename to tests/signature/src/android/signature/cts/JDiffClassDescription.java
index 36360d6..7ea9911 100644
--- a/tests/SignatureTest/src/android/tests/sigtest/JDiffClassDescription.java
+++ b/tests/signature/src/android/signature/cts/JDiffClassDescription.java
@@ -14,9 +14,7 @@
* limitations under the License.
*/
-package android.tests.sigtest;
-
-import android.tests.sigtest.SignatureTest.FAILURE_TYPE;
+package android.signature.cts;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
@@ -83,9 +81,8 @@
*/
public JDiffClassDescription(String pkg, String className) {
this(pkg, className, new ResultObserver() {
- public void notifyFailure(FAILURE_TYPE type,
- String name,
- String errorMessage) {
+ @Override
+ public void notifyFailure(FailureType type, String name, String errorMessage) {
// This is a null result observer that doesn't do anything.
}
});
@@ -99,9 +96,7 @@
* @param className the name of the class.
* @param resultObserver the resultObserver to get results with.
*/
- public JDiffClassDescription(String pkg,
- String className,
- ResultObserver resultObserver) {
+ public JDiffClassDescription(String pkg, String className, ResultObserver resultObserver) {
mPackageName = pkg;
mShortClassName = className;
mResultObserver = resultObserver;
@@ -144,7 +139,6 @@
}
static String convertModifiersToAccessLevel(int modifiers) {
- String accessLevel = "";
if ((modifiers & Modifier.PUBLIC) != 0) {
return "public";
} else if ((modifiers & Modifier.PRIVATE) != 0) {
@@ -500,7 +494,7 @@
Method m = findMatchingMethod(method);
if (m == null) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISSING_METHOD,
+ mResultObserver.notifyFailure(FailureType.MISSING_METHOD,
method.toReadableString(mAbsoluteClassName),
"No method with correct signature found:" +
method.toSignatureString());
@@ -521,15 +515,15 @@
}
if (!areMethodModifiedCompatibile(method, m)) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISMATCH_METHOD,
+ mResultObserver.notifyFailure(FailureType.MISMATCH_METHOD,
method.toReadableString(mAbsoluteClassName),
"Non-compatible method found when looking for " +
method.toSignatureString());
}
}
} catch (Exception e) {
- SignatureTestLog.e("Got exception when checking method compliance", e);
- mResultObserver.notifyFailure(FAILURE_TYPE.CAUGHT_EXCEPTION,
+ loge("Got exception when checking method compliance", e);
+ mResultObserver.notifyFailure(FailureType.CAUGHT_EXCEPTION,
method.toReadableString(mAbsoluteClassName),
"Exception!");
}
@@ -583,7 +577,6 @@
@SuppressWarnings("unchecked")
private Method findMatchingMethod(JDiffMethod method) {
Method[] methods = mClass.getDeclaredMethods();
- boolean found = false;
for (Method m : methods) {
if (matches(method, m)) {
@@ -637,7 +630,7 @@
try {
Constructor<?> c = findMatchingConstructor(con);
if (c == null) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISSING_METHOD,
+ mResultObserver.notifyFailure(FailureType.MISSING_METHOD,
con.toReadableString(mAbsoluteClassName),
"No method with correct signature found:" +
con.toSignatureString());
@@ -647,15 +640,15 @@
}
if (c.getModifiers() != con.mModifier) {
mResultObserver.notifyFailure(
- FAILURE_TYPE.MISMATCH_METHOD,
+ FailureType.MISMATCH_METHOD,
con.toReadableString(mAbsoluteClassName),
"Non-compatible method found when looking for " +
con.toSignatureString());
}
}
} catch (Exception e) {
- SignatureTestLog.e("Got exception when checking constructor compliance", e);
- mResultObserver.notifyFailure(FAILURE_TYPE.CAUGHT_EXCEPTION,
+ loge("Got exception when checking constructor compliance", e);
+ mResultObserver.notifyFailure(FailureType.CAUGHT_EXCEPTION,
con.toReadableString(mAbsoluteClassName),
"Exception!");
}
@@ -716,12 +709,12 @@
try {
Field f = findMatchingField(field);
if (f == null) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISSING_FIELD,
+ mResultObserver.notifyFailure(FailureType.MISSING_FIELD,
field.toReadableString(mAbsoluteClassName),
"No field with correct signature found:" +
field.toSignatureString());
} else if (f.getModifiers() != field.mModifier) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISMATCH_FIELD,
+ mResultObserver.notifyFailure(FailureType.MISMATCH_FIELD,
field.toReadableString(mAbsoluteClassName),
"Non-compatible field modifiers found when looking for " +
field.toSignatureString());
@@ -735,7 +728,7 @@
}
if (genericTypeName == null || !genericTypeName.equals(field.mFieldType)) {
mResultObserver.notifyFailure(
- FAILURE_TYPE.MISMATCH_FIELD,
+ FailureType.MISMATCH_FIELD,
field.toReadableString(mAbsoluteClassName),
"Non-compatible field type found when looking for " +
field.toSignatureString());
@@ -743,10 +736,11 @@
}
} catch (Exception e) {
- SignatureTestLog.e("Got exception when checking field compliance", e);
- mResultObserver.notifyFailure(FAILURE_TYPE.CAUGHT_EXCEPTION,
+ loge("Got exception when checking field compliance", e);
+ mResultObserver.notifyFailure(
+ FailureType.CAUGHT_EXCEPTION,
field.toReadableString(mAbsoluteClassName),
- "Exception!");
+ "Exception!");
}
}
}
@@ -880,11 +874,11 @@
if (mClass == null) {
// No class found, notify the observer according to the class type
if (JDiffType.INTERFACE.equals(mClassType)) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISSING_INTERFACE,
+ mResultObserver.notifyFailure(FailureType.MISSING_INTERFACE,
mAbsoluteClassName,
"Classloader is unable to find " + mAbsoluteClassName);
} else {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISSING_CLASS,
+ mResultObserver.notifyFailure(FailureType.MISSING_CLASS,
mAbsoluteClassName,
"Classloader is unable to find " + mAbsoluteClassName);
}
@@ -920,10 +914,11 @@
}
}
} catch (Exception e) {
- SignatureTestLog.e("Got exception when checking field compliance", e);
- mResultObserver.notifyFailure(FAILURE_TYPE.CAUGHT_EXCEPTION,
+ loge("Got exception when checking field compliance", e);
+ mResultObserver.notifyFailure(
+ FailureType.CAUGHT_EXCEPTION,
mAbsoluteClassName,
- "Exception!");
+ "Exception!");
}
}
@@ -974,11 +969,11 @@
private void logMismatchInterfaceSignature(String classFullName, String errorMessage) {
if (JDiffType.INTERFACE.equals(mClassType)) {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISMATCH_INTERFACE,
+ mResultObserver.notifyFailure(FailureType.MISMATCH_INTERFACE,
classFullName,
errorMessage);
} else {
- mResultObserver.notifyFailure(FAILURE_TYPE.MISMATCH_CLASS,
+ mResultObserver.notifyFailure(FailureType.MISMATCH_CLASS,
classFullName,
errorMessage);
}
@@ -1026,7 +1021,7 @@
}
}
} catch (ClassNotFoundException e) {
- SignatureTestLog.e("ClassNotFoundException for " + mPackageName + "." + mShortClassName, e);
+ loge("ClassNotFoundException for " + mPackageName + "." + mShortClassName, e);
return null;
}
return null;
@@ -1195,4 +1190,8 @@
// canonicalize them to one form.
return paramType.replace("<? extends java.lang.Object>", "<?>");
}
+
+ private static void loge(String message, Exception exception) {
+ System.err.println(String.format("%s: %s", message, exception));
+ }
}
diff --git a/tests/SignatureTest/src/android/tests/sigtest/ResultObserver.java b/tests/signature/src/android/signature/cts/ResultObserver.java
similarity index 81%
rename from tests/SignatureTest/src/android/tests/sigtest/ResultObserver.java
rename to tests/signature/src/android/signature/cts/ResultObserver.java
index e9d2260..33234e9 100644
--- a/tests/SignatureTest/src/android/tests/sigtest/ResultObserver.java
+++ b/tests/signature/src/android/signature/cts/ResultObserver.java
@@ -14,9 +14,8 @@
* limitations under the License.
*/
-package android.tests.sigtest;
+package android.signature.cts;
-import android.tests.sigtest.SignatureTest.FAILURE_TYPE;
/**
* Interface for saving signature test result.
*/
@@ -27,8 +26,6 @@
* @param name Name of the failed element (interface/class/method/field)
* @param errorMessage a descriptive message indicating why it failed.
*/
- void notifyFailure(FAILURE_TYPE type,
- String name,
- String errorMessage);
+ void notifyFailure(FailureType type, String name, String errorMessage);
}
diff --git a/tests/SignatureTest/src/android/tests/sigtest/SignatureTest.java b/tests/signature/src/android/signature/cts/SignatureTest.java
similarity index 91%
rename from tests/SignatureTest/src/android/tests/sigtest/SignatureTest.java
rename to tests/signature/src/android/signature/cts/SignatureTest.java
index 8ae02ac..e3099a9 100644
--- a/tests/SignatureTest/src/android/tests/sigtest/SignatureTest.java
+++ b/tests/signature/src/android/signature/cts/SignatureTest.java
@@ -14,13 +14,15 @@
* limitations under the License.
*/
-package android.tests.sigtest;
+package android.signature.cts;
import android.content.res.Resources;
+import android.signature.R;
+import android.signature.cts.JDiffClassDescription.JDiffConstructor;
+import android.signature.cts.JDiffClassDescription.JDiffField;
+import android.signature.cts.JDiffClassDescription.JDiffMethod;
import android.test.AndroidTestCase;
-import android.tests.sigtest.JDiffClassDescription.JDiffConstructor;
-import android.tests.sigtest.JDiffClassDescription.JDiffField;
-import android.tests.sigtest.JDiffClassDescription.JDiffMethod;
+import android.util.Log;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
@@ -37,6 +39,8 @@
*/
public class SignatureTest extends AndroidTestCase {
+ private static final String TAG = SignatureTest.class.getSimpleName();
+
private static final String TAG_ROOT = "api";
private static final String TAG_PACKAGE = "package";
private static final String TAG_CLASS = "class";
@@ -70,26 +74,12 @@
private HashSet<String> mKeyTagSet;
private TestResultObserver mResultObserver;
- /**
- * Define the type of the signature check failures.
- */
- public static enum FAILURE_TYPE {
- MISSING_CLASS,
- MISSING_INTERFACE,
- MISSING_METHOD,
- MISSING_FIELD,
- MISMATCH_CLASS,
- MISMATCH_INTERFACE,
- MISMATCH_METHOD,
- MISMATCH_FIELD,
- CAUGHT_EXCEPTION,
- }
-
private class TestResultObserver implements ResultObserver {
boolean mDidFail = false;
StringBuilder mErrorString = new StringBuilder();
- public void notifyFailure(FAILURE_TYPE type, String name, String errorMessage) {
+ @Override
+ public void notifyFailure(FailureType type, String name, String errorMessage) {
mDidFail = true;
mErrorString.append("\n");
mErrorString.append(type.toString().toLowerCase());
@@ -116,12 +106,14 @@
public void testSignature() {
Resources r = getContext().getResources();
Class rClass = R.xml.class;
+ logd(String.format("Class: %s", rClass.toString()));
Field[] fs = rClass.getFields();
for (Field f : fs) {
+ logd(String.format("Field: %s", fs.toString()));
try {
start(r.getXml(f.getInt(rClass)));
} catch (Exception e) {
- mResultObserver.notifyFailure(FAILURE_TYPE.CAUGHT_EXCEPTION, e.getMessage(),
+ mResultObserver.notifyFailure(FailureType.CAUGHT_EXCEPTION, e.getMessage(),
e.getMessage());
}
}
@@ -150,6 +142,11 @@
* Signature test entry point.
*/
private void start(XmlPullParser parser) throws XmlPullParserException, IOException {
+ logd(String.format("Parser: %s", parser.getName()));
+ logd(String.format("Parser: %s", parser.getNamespace()));
+ logd(String.format("Parser: %s", parser.getLineNumber()));
+ logd(String.format("Parser: %s", parser.getColumnNumber()));
+ logd(String.format("Parser: %s", parser.getPositionDescription()));
JDiffClassDescription currentClass = null;
String currentPackage = "";
JDiffMethod currentMethod = null;
@@ -332,4 +329,12 @@
}
return modifier;
}
+
+ public static void loge(String msg, Exception e) {
+ Log.e(TAG, msg, e);
+ }
+
+ public static void logd(String msg) {
+ Log.d(TAG, msg);
+ }
}
diff --git a/tests/tests/app/src/android/app/cts/ActivityManagerMemoryClassTest.java b/tests/tests/app/src/android/app/cts/ActivityManagerMemoryClassTest.java
index 408efe7..7d3fc5e 100644
--- a/tests/tests/app/src/android/app/cts/ActivityManagerMemoryClassTest.java
+++ b/tests/tests/app/src/android/app/cts/ActivityManagerMemoryClassTest.java
@@ -98,6 +98,10 @@
expectedMinimumMemory = isXLarge ? 256 : 128;
break;
+ case DisplayMetrics.DENSITY_560:
+ expectedMinimumMemory = isXLarge ? 512 : 256;
+ break;
+
case DisplayMetrics.DENSITY_XXXHIGH:
expectedMinimumMemory = isXLarge ? 512 : 256;
break;
diff --git a/tests/tests/content/AndroidManifest.xml b/tests/tests/content/AndroidManifest.xml
index b3de29f..a5caba8 100644
--- a/tests/tests/content/AndroidManifest.xml
+++ b/tests/tests/content/AndroidManifest.xml
@@ -177,6 +177,16 @@
<activity android:name="android.content.cts.ClipboardManagerListenerActivity"/>
+ <activity android:name="com.android.cts.content.ImageCaptureActivity"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.media.action.IMAGE_CAPTURE" />
+ <action android:name="android.media.action.IMAGE_CAPTURE_SECURE" />
+ <action android:name="android.media.action.VIDEO_CAPTURE" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/content/src/android/content/cts/ContextWrapperTest.java b/tests/tests/content/src/android/content/cts/ContextWrapperTest.java
index e7b6ed7..62fc83a 100644
--- a/tests/tests/content/src/android/content/cts/ContextWrapperTest.java
+++ b/tests/tests/content/src/android/content/cts/ContextWrapperTest.java
@@ -641,7 +641,8 @@
}
public void testCheckCallingOrSelfPermission() {
- int retValue = mContextWrapper.checkCallingOrSelfPermission("android.permission.GET_TASKS");
+ int retValue = mContextWrapper.checkCallingOrSelfPermission(
+ "android.permission.SET_WALLPAPER");
assertEquals(PackageManager.PERMISSION_GRANTED, retValue);
}
@@ -705,7 +706,7 @@
}
// Test with invalid uid and included granted permission.
- returnValue = mContextWrapper.checkPermission("android.permission.GET_TASKS", 1, -11);
+ returnValue = mContextWrapper.checkPermission("android.permission.SET_WALLPAPER", 1, -11);
assertEquals(PackageManager.PERMISSION_DENIED, returnValue);
}
diff --git a/tests/tests/content/src/android/content/cts/ImageCaptureActivity.java b/tests/tests/content/src/android/content/cts/ImageCaptureActivity.java
new file mode 100644
index 0000000..71bf250
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/ImageCaptureActivity.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.content;
+
+import android.app.Activity;
+import android.content.ClipData;
+import android.content.ClipData.Item;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+import android.provider.MediaStore;
+import android.util.Log;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.Writer;
+
+public class ImageCaptureActivity extends Activity {
+ public static final String ACTION_FILE_READY = "com.android.cts.content.action.file_ready";
+ private static final String TAG = ImageCaptureUriExtraToClipDataTest.TAG;
+
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Intent intent = getIntent();
+
+ // Check action.
+ String action = intent.getAction();
+ if ((MediaStore.ACTION_IMAGE_CAPTURE.equals(action)
+ || MediaStore.ACTION_IMAGE_CAPTURE_SECURE.equals(action)
+ || MediaStore.ACTION_VIDEO_CAPTURE.equals(action))) {
+ writeToClipDataUri(intent);
+ }
+
+ finish();
+ }
+
+ // Sends ACTION_FILE_READY intent when write to clipdata uri is succesful.
+ private void writeToClipDataUri(Intent intent) {
+ if ((intent.getFlags() & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) {
+
+ // Note: since this activity is in the same package as the test we can write to the file
+ // regardless of this permission, but in general this permission is required.
+ Log.e(TAG, "Intent.FLAG_GRANT_WRITE_URI_PERMISSION was not granted.");
+ return;
+ }
+
+ File file = getFileFromIntent(intent);
+ if (file == null) {
+ Log.e(TAG, "Could not get file from clipdata.");
+ return;
+ }
+ try {
+ FileWriter writer = new FileWriter(file);
+ writer.write(ImageCaptureUriExtraToClipDataTest.TEST_INPUT);
+ writer.flush();
+ writer.close();
+ } catch (IOException e) {
+ Log.e(TAG, "File IO failure while writing.");
+ return;
+ }
+ Intent fileReady = new Intent(ACTION_FILE_READY);
+ sendBroadcast(fileReady);
+ }
+
+ private File getFileFromIntent(Intent intent) {
+ ClipData clipData = intent.getClipData();
+ if (clipData == null) {
+ Log.e(TAG, "ClipData missing.");
+ return null;
+ }
+ if (clipData.getItemCount() == 0) {
+ Log.e(TAG, "Uri missing in ClipData.");
+ return null;
+ }
+
+ Uri filePath = clipData.getItemAt(0).getUri();
+ if (filePath == null) {
+ Log.e(TAG, "Uri missing in ClipData.");
+ return null;
+ }
+
+ try {
+ return new File(filePath.getPath());
+ } catch (IllegalArgumentException e) {
+ Log.e(TAG, "Cannot get file at Uri.");
+ return null;
+ }
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/content/src/android/content/cts/ImageCaptureUriExtraToClipDataTest.java b/tests/tests/content/src/android/content/cts/ImageCaptureUriExtraToClipDataTest.java
new file mode 100644
index 0000000..bb2a43d
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/ImageCaptureUriExtraToClipDataTest.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.content;
+
+import android.content.BroadcastReceiver;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.net.Uri;
+import android.provider.MediaStore;
+import android.test.AndroidTestCase;
+
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.Reader;
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+
+public class ImageCaptureUriExtraToClipDataTest extends AndroidTestCase {
+ private static final String FILE_NAME = "testFile.txt";
+ private File mTestFile;
+ private final Semaphore mFileReadySemaphore = new Semaphore(0);
+
+ public static final String TEST_INPUT = "testString";
+ public static final String TAG = "ImageCaptureUriExtraToClipDataTest";
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ assertEquals(0, mFileReadySemaphore.availablePermits());
+
+ BroadcastReceiver mReceiver = new BroadcastReceiver() {
+ @Override
+ public void onReceive(Context context, Intent intent) {
+ mFileReadySemaphore.release();
+ }
+ };
+ IntentFilter filter = new IntentFilter();
+ filter.addAction(ImageCaptureActivity.ACTION_FILE_READY);
+ getContext().registerReceiver(mReceiver, filter);
+
+ mTestFile = new File(getContext().getFilesDir() + File.separator + FILE_NAME);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ if (mTestFile.exists()) {
+ assertTrue(mTestFile.delete());
+ }
+ super.tearDown();
+ }
+
+
+ public void testUriExtraOutputMigratedToClipData_imageCaptureIntent() {
+ startActivityWithAction(MediaStore.ACTION_IMAGE_CAPTURE);
+ waitForFileReady();
+ testFileContents();
+ }
+
+ public void testUriExtraOutputMigratedToClipData_imageCaptureSecureIntent() {
+ startActivityWithAction(MediaStore.ACTION_IMAGE_CAPTURE_SECURE);
+ waitForFileReady();
+ testFileContents();
+ }
+
+ public void testUriExtraOutputMigratedToClipData_videoCaptureIntent() {
+ startActivityWithAction(MediaStore.ACTION_VIDEO_CAPTURE);
+ waitForFileReady();
+ testFileContents();
+ }
+
+ private void startActivityWithAction(String action) {
+ Intent intent = new Intent(action);
+ intent.setComponent(new ComponentName("com.android.cts.content",
+ "com.android.cts.content.ImageCaptureActivity"));
+ intent.putExtra(MediaStore.EXTRA_OUTPUT, Uri.fromFile(mTestFile));
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ getContext().startActivity(intent);
+ }
+
+ private void waitForFileReady() {
+ try {
+ assertTrue(mFileReadySemaphore.tryAcquire(5, TimeUnit.SECONDS));
+ } catch (InterruptedException e) {
+ fail(e.toString());
+ }
+ }
+
+ private void testFileContents() {
+ char[] buffer = new char[TEST_INPUT.length()];
+ try {
+ FileReader reader = new FileReader(mTestFile);
+ reader.read(buffer);
+ reader.close();
+ } catch (IOException e) {
+ // Problem
+ fail(e.toString());
+ }
+ String fileContents = new String(buffer);
+ assertEquals(TEST_INPUT, fileContents);
+ }
+}
diff --git a/tests/tests/hardware/src/android/hardware/camera2/cts/CaptureRequestTest.java b/tests/tests/hardware/src/android/hardware/camera2/cts/CaptureRequestTest.java
index 006b32c..00dd24d 100644
--- a/tests/tests/hardware/src/android/hardware/camera2/cts/CaptureRequestTest.java
+++ b/tests/tests/hardware/src/android/hardware/camera2/cts/CaptureRequestTest.java
@@ -282,6 +282,11 @@
try {
openDevice(mCameraIds[i]);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
Size maxPreviewSz = mOrderedPreviewSizes.get(0); // Max preview size.
// Update preview surface with given size for all sub-tests.
@@ -340,6 +345,11 @@
try {
openDevice(mCameraIds[i]);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
faceDetectionTestByCamera();
} finally {
closeDevice();
diff --git a/tests/tests/hardware/src/android/hardware/camera2/cts/PerformanceTest.java b/tests/tests/hardware/src/android/hardware/camera2/cts/PerformanceTest.java
index d4a0e73..8b8f2f6 100644
--- a/tests/tests/hardware/src/android/hardware/camera2/cts/PerformanceTest.java
+++ b/tests/tests/hardware/src/android/hardware/camera2/cts/PerformanceTest.java
@@ -195,6 +195,11 @@
try {
openDevice(id);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
boolean partialsExpected = mStaticInfo.getPartialResultCount() > 1;
long startTimeMs;
boolean isPartialTimingValid = partialsExpected;
diff --git a/tests/tests/hardware/src/android/hardware/camera2/cts/StillCaptureTest.java b/tests/tests/hardware/src/android/hardware/camera2/cts/StillCaptureTest.java
index 8dd35f6..9766a45 100644
--- a/tests/tests/hardware/src/android/hardware/camera2/cts/StillCaptureTest.java
+++ b/tests/tests/hardware/src/android/hardware/camera2/cts/StillCaptureTest.java
@@ -65,8 +65,8 @@
// 60 second to accommodate the possible long exposure time.
private static final int EXIF_DATETIME_ERROR_MARGIN_SEC = 60;
private static final float EXIF_FOCAL_LENGTH_ERROR_MARGIN = 0.001f;
- // TODO: exposure time error margin need to be scaled with exposure time.
- private static final float EXIF_EXPOSURE_TIME_ERROR_MARGIN_SEC = 0.002f;
+ private static final float EXIF_EXPOSURE_TIME_ERROR_MARGIN_RATIO = 0.05f;
+ private static final float EXIF_EXPOSURE_TIME_MIN_ERROR_MARGIN_SEC = 0.002f;
private static final float EXIF_APERTURE_ERROR_MARGIN = 0.001f;
private static final Location sTestLocation0 = new Location(LocationManager.GPS_PROVIDER);
private static final Location sTestLocation1 = new Location(LocationManager.GPS_PROVIDER);
@@ -140,6 +140,11 @@
Log.i(TAG, "Testing JPEG exif for Camera " + mCameraIds[i]);
openDevice(mCameraIds[i]);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
jpegExifTestByCamera();
} finally {
closeDevice();
@@ -263,6 +268,11 @@
Log.i(TAG, "Testing Still preview capture combination for Camera " + id);
openDevice(id);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test for legacy devices");
+ continue;
+ }
+
previewStillCombinationTestByCamera();
} finally {
closeDevice();
@@ -303,6 +313,11 @@
Log.i(TAG, "Testing AE regions for Camera " + id);
openDevice(id);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
boolean aeRegionsSupported = isRegionsSupportedFor3A(MAX_REGIONS_AE_INDEX);
if (!aeRegionsSupported) {
continue;
@@ -353,6 +368,11 @@
Log.i(TAG, "Testing AF regions for Camera " + id);
openDevice(id);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
boolean afRegionsSupported = isRegionsSupportedFor3A(MAX_REGIONS_AF_INDEX);
if (!afRegionsSupported) {
continue;
@@ -1101,8 +1121,10 @@
double exposureTimeValue = Double.parseDouble(exposureTime);
long expTimeResult = result.get(CaptureResult.SENSOR_EXPOSURE_TIME);
double expected = expTimeResult / 1e9;
+ double tolerance = expected * EXIF_EXPOSURE_TIME_ERROR_MARGIN_RATIO;
+ tolerance = Math.max(tolerance, EXIF_EXPOSURE_TIME_MIN_ERROR_MARGIN_SEC);
mCollector.expectEquals("Exif exposure time doesn't match", expected,
- exposureTimeValue, EXIF_EXPOSURE_TIME_ERROR_MARGIN_SEC);
+ exposureTimeValue, tolerance);
}
}
diff --git a/tests/tests/hardware/src/android/hardware/camera2/cts/SurfaceViewPreviewTest.java b/tests/tests/hardware/src/android/hardware/camera2/cts/SurfaceViewPreviewTest.java
index 01da4c8..b3d4cf9 100644
--- a/tests/tests/hardware/src/android/hardware/camera2/cts/SurfaceViewPreviewTest.java
+++ b/tests/tests/hardware/src/android/hardware/camera2/cts/SurfaceViewPreviewTest.java
@@ -74,6 +74,11 @@
Log.i(TAG, "Testing preview for Camera " + mCameraIds[i]);
openDevice(mCameraIds[i]);
+ if (mStaticInfo.isHardwareLevelLegacy()) {
+ Log.i(TAG, "Skipping test on legacy devices");
+ continue;
+ }
+
previewTestByCamera();
} finally {
closeDevice();
diff --git a/tests/tests/hardware/src/android/hardware/cts/helpers/TestSensorManager.java b/tests/tests/hardware/src/android/hardware/cts/helpers/TestSensorManager.java
index a62107b..d72a2ce 100644
--- a/tests/tests/hardware/src/android/hardware/cts/helpers/TestSensorManager.java
+++ b/tests/tests/hardware/src/android/hardware/cts/helpers/TestSensorManager.java
@@ -58,7 +58,7 @@
private TestSensorEventListener mTestSensorEventListener;
/**
- * @Deprecated Use {@link #TestSensorManager(TestSensorEnvironment)} instead.
+ * @deprecated Use {@link #TestSensorManager(TestSensorEnvironment)} instead.
*/
@Deprecated
public TestSensorManager(
diff --git a/tests/tests/hardware/src/android/hardware/cts/helpers/sensoroperations/SensorOperationTest.java b/tests/tests/hardware/src/android/hardware/cts/helpers/sensoroperations/SensorOperationTest.java
index 7148454..38ad498 100644
--- a/tests/tests/hardware/src/android/hardware/cts/helpers/sensoroperations/SensorOperationTest.java
+++ b/tests/tests/hardware/src/android/hardware/cts/helpers/sensoroperations/SensorOperationTest.java
@@ -16,10 +16,10 @@
package android.hardware.cts.helpers.sensoroperations;
-import android.hardware.cts.helpers.SensorStats;
-
import junit.framework.TestCase;
+import android.hardware.cts.helpers.SensorStats;
+
import java.util.Set;
import java.util.concurrent.TimeUnit;
@@ -29,7 +29,7 @@
* {@link SequentialSensorOperation}.
*/
public class SensorOperationTest extends TestCase {
- private static final int THRESHOLD_MS = 50;
+ private static final long TEST_DURATION_THRESHOLD_MS = TimeUnit.SECONDS.toMillis(5);
/**
* Test that the {@link FakeSensorOperation} functions correctly. Other tests in this class
@@ -44,7 +44,7 @@
long start = System.currentTimeMillis();
op.execute();
long duration = System.currentTimeMillis() - start;
- assertTrue(Math.abs(opDurationMs - duration) < THRESHOLD_MS);
+ assertTrue(Math.abs(opDurationMs - duration) < TEST_DURATION_THRESHOLD_MS);
assertTrue(op.getStats().flatten().containsKey("executed"));
op = new FakeSensorOperation(true, 0, TimeUnit.MILLISECONDS);
@@ -67,10 +67,11 @@
FakeSensorOperation subOp = new FakeSensorOperation(subOpDurationMs, TimeUnit.MILLISECONDS);
ISensorOperation op = new DelaySensorOperation(subOp, opDurationMs, TimeUnit.MILLISECONDS);
- long start = System.currentTimeMillis();
+ long startMs = System.currentTimeMillis();
op.execute();
- long duration = System.currentTimeMillis() - start;
- assertTrue(Math.abs(opDurationMs + subOpDurationMs - duration) < THRESHOLD_MS);
+ long dirationMs = System.currentTimeMillis() - startMs;
+ long durationDeltaMs = Math.abs(opDurationMs + subOpDurationMs - dirationMs);
+ assertTrue(durationDeltaMs < TEST_DURATION_THRESHOLD_MS);
}
/**
@@ -92,8 +93,18 @@
long start = System.currentTimeMillis();
op.execute();
- long duration = System.currentTimeMillis() - start;
- assertTrue(Math.abs(subOpDurationMs - duration) < THRESHOLD_MS);
+ long durationMs = System.currentTimeMillis() - start;
+ long durationDeltaMs = Math.abs(subOpDurationMs - durationMs);
+ String message = String.format(
+ "Expected duration=%sms, observed=%sms, delta=%sms, thresold=%sms",
+ subOpDurationMs,
+ durationMs,
+ durationDeltaMs,
+ TEST_DURATION_THRESHOLD_MS);
+ // starting threads might have an impact in the order of 100s ms, depending on the load of
+ // the system, so we relax the benchmark part of the test, and we just expect all operations
+ // to complete
+ assertTrue(message, durationDeltaMs < TEST_DURATION_THRESHOLD_MS);
statsKeys = op.getStats().flatten().keySet();
assertEquals(subOpCount, statsKeys.size());
@@ -151,9 +162,9 @@
public void testParallelSensorOperation_timeout() {
final int subOpCount = 100;
- ParallelSensorOperation op = new ParallelSensorOperation(100, TimeUnit.MILLISECONDS);
+ ParallelSensorOperation op = new ParallelSensorOperation(1, TimeUnit.SECONDS);
for (int i = 0; i < subOpCount; i++) {
- // Trigger timeouts in the 5th, 55th operations (5 seconds vs 0 seconds)
+ // Trigger timeouts in the 5th, 55th operations (5 seconds vs 1 seconds)
ISensorOperation subOp = new FakeSensorOperation(i % 50 == 5 ? 5 : 0, TimeUnit.SECONDS);
op.add(subOp);
}
@@ -196,7 +207,7 @@
long start = System.currentTimeMillis();
op.execute();
long duration = System.currentTimeMillis() - start;
- assertTrue(Math.abs(subOpDurationMs * iterations - duration) < THRESHOLD_MS);
+ assertTrue(Math.abs(subOpDurationMs * iterations - duration) < TEST_DURATION_THRESHOLD_MS);
statsKeys = op.getStats().flatten().keySet();
assertEquals(iterations, statsKeys.size());
@@ -285,7 +296,7 @@
long start = System.currentTimeMillis();
op.execute();
long duration = System.currentTimeMillis() - start;
- assertTrue(Math.abs(subOpDurationMs * subOpCount - duration) < THRESHOLD_MS);
+ assertTrue(Math.abs(subOpDurationMs * subOpCount - duration) < TEST_DURATION_THRESHOLD_MS);
statsKeys = op.getStats().flatten().keySet();
assertEquals(subOpCount, statsKeys.size());
diff --git a/tests/tests/os/src/android/os/cts/ReadElf.java b/tests/tests/os/src/android/os/cts/ReadElf.java
index 2f64e03..4a20031 100644
--- a/tests/tests/os/src/android/os/cts/ReadElf.java
+++ b/tests/tests/os/src/android/os/cts/ReadElf.java
@@ -19,458 +19,476 @@
import java.io.File;
import java.io.IOException;
import java.io.RandomAccessFile;
-import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/**
- * A poor man's implementation of the readelf command. This program is
- * designed to parse ELF (Executable and Linkable Format) files.
+ * A poor man's implementation of the readelf command. This program is designed
+ * to parse ELF (Executable and Linkable Format) files.
*/
public class ReadElf implements AutoCloseable {
- /** The magic values for the ELF identification. */
- private static final byte[] ELFMAG = { (byte) 0x7F, (byte) 'E', (byte) 'L', (byte) 'F', };
+ /** The magic values for the ELF identification. */
+ private static final byte[] ELFMAG = {
+ (byte) 0x7F, (byte) 'E', (byte) 'L', (byte) 'F', };
- private static final int EI_NIDENT = 16;
+ private static final int EI_NIDENT = 16;
- private static final int EI_CLASS = 4;
- private static final int EI_DATA = 5;
+ private static final int EI_CLASS = 4;
+ private static final int EI_DATA = 5;
- private static final int EM_386 = 3;
- private static final int EM_MIPS = 8;
- private static final int EM_ARM = 40;
- private static final int EM_X86_64 = 62;
- // http://en.wikipedia.org/wiki/Qualcomm_Hexagon
- private static final int EM_QDSP6 = 164;
- private static final int EM_AARCH64 = 183;
+ private static final int EM_386 = 3;
+ private static final int EM_MIPS = 8;
+ private static final int EM_ARM = 40;
+ private static final int EM_X86_64 = 62;
+ // http://en.wikipedia.org/wiki/Qualcomm_Hexagon
+ private static final int EM_QDSP6 = 164;
+ private static final int EM_AARCH64 = 183;
- private static final int ELFCLASS32 = 1;
- private static final int ELFCLASS64 = 2;
+ private static final int ELFCLASS32 = 1;
+ private static final int ELFCLASS64 = 2;
- private static final int ELFDATA2LSB = 1;
- private static final int ELFDATA2MSB = 2;
+ private static final int ELFDATA2LSB = 1;
+ private static final int ELFDATA2MSB = 2;
- private static final int EV_CURRENT = 1;
+ private static final int EV_CURRENT = 1;
- private static final long PT_LOAD = 1;
+ private static final long PT_LOAD = 1;
- private static final int SHT_SYMTAB = 2;
- private static final int SHT_STRTAB = 3;
- private static final int SHT_DYNAMIC = 6;
- private static final int SHT_DYNSYM = 11;
+ private static final int SHT_SYMTAB = 2;
+ private static final int SHT_STRTAB = 3;
+ private static final int SHT_DYNAMIC = 6;
+ private static final int SHT_DYNSYM = 11;
- public static class Symbol {
- public static final int STB_LOCAL = 0;
- public static final int STB_GLOBAL = 1;
- public static final int STB_WEAK = 2;
- public static final int STB_LOPROC = 13;
- public static final int STB_HIPROC = 15;
+ public static class Symbol {
+ public static final int STB_LOCAL = 0;
+ public static final int STB_GLOBAL = 1;
+ public static final int STB_WEAK = 2;
+ public static final int STB_LOPROC = 13;
+ public static final int STB_HIPROC = 15;
- public static final int STT_NOTYPE = 0;
- public static final int STT_OBJECT = 1;
- public static final int STT_FUNC = 2;
- public static final int STT_SECTION = 3;
- public static final int STT_FILE = 4;
- public static final int STT_COMMON = 5;
- public static final int STT_TLS = 6;
+ public static final int STT_NOTYPE = 0;
+ public static final int STT_OBJECT = 1;
+ public static final int STT_FUNC = 2;
+ public static final int STT_SECTION = 3;
+ public static final int STT_FILE = 4;
+ public static final int STT_COMMON = 5;
+ public static final int STT_TLS = 6;
- public final String name;
- public final int bind;
- public final int type;
+ public final String name;
+ public final int bind;
+ public final int type;
- Symbol(String name, int st_info) {
- this.name = name;
- this.bind = (st_info >> 4) & 0x0F;
- this.type = st_info & 0x0F;
- }
-
- public String toString() {
- return "Symbol[" + name + "," + toBind() + "," + toType() + "]";
- }
-
- private String toBind() {
- switch (bind) {
- case STB_LOCAL: return "LOCAL";
- case STB_GLOBAL: return "GLOBAL";
- case STB_WEAK: return "WEAK";
- }
- return "STB_??? (" + bind + ")";
- }
-
- private String toType() {
- switch (type) {
- case STT_NOTYPE: return "NOTYPE";
- case STT_OBJECT: return "OBJECT";
- case STT_FUNC: return "FUNC";
- case STT_SECTION: return "SECTION";
- case STT_FILE: return "FILE";
- case STT_COMMON: return "COMMON";
- case STT_TLS: return "TLS";
- }
- return "STT_??? (" + type + ")";
- }
- }
-
- private final String mPath;
- private final RandomAccessFile mFile;
- private final byte[] mBuffer = new byte[512];
- private int mEndian;
- private boolean mIsDynamic;
- private boolean mIsPIE;
- private int mType;
- private int mAddrSize;
-
- /** Symbol Table offset */
- private long mSymTabOffset;
-
- /** Symbol Table size */
- private long mSymTabSize;
-
- /** Dynamic Symbol Table offset */
- private long mDynSymOffset;
-
- /** Dynamic Symbol Table size */
- private long mDynSymSize;
-
- /** Section Header String Table offset */
- private long mShStrTabOffset;
-
- /** Section Header String Table size */
- private long mShStrTabSize;
-
- /** String Table offset */
- private long mStrTabOffset;
-
- /** String Table size */
- private long mStrTabSize;
-
- /** Dynamic String Table offset */
- private long mDynStrOffset;
-
- /** Dynamic String Table size */
- private long mDynStrSize;
-
- /** Symbol Table symbol names */
- private Map<String, Symbol> mSymbols;
-
- /** Dynamic Symbol Table symbol names */
- private Map<String, Symbol> mDynamicSymbols;
-
- public static ReadElf read(File file) throws IOException {
- return new ReadElf(file);
- }
-
- public static void main(String[] args) throws IOException {
- for (String arg : args) {
- ReadElf re = new ReadElf(new File(arg));
- re.getSymbol("x");
- re.getDynamicSymbol("x");
- }
- }
-
- public boolean isDynamic() {
- return mIsDynamic;
- }
-
- public int getType() {
- return mType;
- }
-
- public boolean isPIE() {
- return mIsPIE;
- }
-
- private ReadElf(File file) throws IOException {
- mPath = file.getPath();
- mFile = new RandomAccessFile(file, "r");
-
- if (mFile.length() < EI_NIDENT) {
- throw new IllegalArgumentException("Too small to be an ELF file: " + file);
- }
-
- readHeader();
- }
-
- public void close() {
- try {
- mFile.close();
- } catch (IOException ignored) {
- }
- }
-
- protected void finalize() throws Throwable {
- try {
- close();
- } finally {
- super.finalize();
- }
- }
-
- private void readHeader() throws IOException {
- mFile.seek(0);
- mFile.readFully(mBuffer, 0, EI_NIDENT);
-
- if (mBuffer[0] != ELFMAG[0] || mBuffer[1] != ELFMAG[1] ||
- mBuffer[2] != ELFMAG[2] || mBuffer[3] != ELFMAG[3]) {
- throw new IllegalArgumentException("Invalid ELF file: " + mPath);
- }
-
- int elfClass = mBuffer[EI_CLASS];
- if (elfClass == ELFCLASS32) {
- mAddrSize = 4;
- } else if (elfClass == ELFCLASS64) {
- mAddrSize = 8;
- } else {
- throw new IOException("Invalid ELF EI_CLASS: " + elfClass + ": " + mPath);
- }
-
- mEndian = mBuffer[EI_DATA];
- if (mEndian == ELFDATA2LSB) {
- } else if (mEndian == ELFDATA2MSB) {
- throw new IOException("Unsupported ELFDATA2MSB file: " + mPath);
- } else {
- throw new IOException("Invalid ELF EI_DATA: " + mEndian + ": " + mPath);
- }
-
- mType = readHalf();
-
- int e_machine = readHalf();
- if (e_machine != EM_386 && e_machine != EM_X86_64 &&
- e_machine != EM_AARCH64 && e_machine != EM_ARM &&
- e_machine != EM_MIPS &&
- e_machine != EM_QDSP6) {
- throw new IOException("Invalid ELF e_machine: " + e_machine + ": " + mPath);
- }
-
- // AbiTest relies on us rejecting any unsupported combinations.
- if ((e_machine == EM_386 && elfClass != ELFCLASS32) ||
- (e_machine == EM_X86_64 && elfClass != ELFCLASS64) ||
- (e_machine == EM_AARCH64 && elfClass != ELFCLASS64) ||
- (e_machine == EM_ARM && elfClass != ELFCLASS32) ||
- (e_machine == EM_QDSP6 && elfClass != ELFCLASS32)) {
- throw new IOException("Invalid e_machine/EI_CLASS ELF combination: " +
- e_machine + "/" + elfClass + ": " + mPath);
- }
-
- long e_version = readWord();
- if (e_version != EV_CURRENT) {
- throw new IOException("Invalid e_version: " + e_version + ": " + mPath);
- }
-
- long e_entry = readAddr();
-
- long ph_off = readOff();
- long sh_off = readOff();
-
- long e_flags = readWord();
- int e_ehsize = readHalf();
- int e_phentsize = readHalf();
- int e_phnum = readHalf();
- int e_shentsize = readHalf();
- int e_shnum = readHalf();
- int e_shstrndx = readHalf();
-
- readSectionHeaders(sh_off, e_shnum, e_shentsize, e_shstrndx);
- readProgramHeaders(ph_off, e_phnum, e_phentsize);
- }
-
- private void readSectionHeaders(long sh_off, int e_shnum, int e_shentsize, int e_shstrndx) throws IOException {
- // Read the Section Header String Table offset first.
- {
- mFile.seek(sh_off + e_shstrndx * e_shentsize);
-
- long sh_name = readWord();
- long sh_type = readWord();
- long sh_flags = readX(mAddrSize);
- long sh_addr = readAddr();
- long sh_offset = readOff();
- long sh_size = readX(mAddrSize);
- // ...
-
- if (sh_type == SHT_STRTAB) {
- mShStrTabOffset = sh_offset;
- mShStrTabSize = sh_size;
- }
- }
-
- for (int i = 0; i < e_shnum; ++i) {
- // Don't bother to re-read the Section Header StrTab.
- if (i == e_shstrndx) {
- continue;
- }
-
- mFile.seek(sh_off + i * e_shentsize);
-
- long sh_name = readWord();
- long sh_type = readWord();
- long sh_flags = readX(mAddrSize);
- long sh_addr = readAddr();
- long sh_offset = readOff();
- long sh_size = readX(mAddrSize);
-
- if (sh_type == SHT_SYMTAB || sh_type == SHT_DYNSYM) {
- final String symTabName = readShStrTabEntry(sh_name);
- if (".symtab".equals(symTabName)) {
- mSymTabOffset = sh_offset;
- mSymTabSize = sh_size;
- } else if (".dynsym".equals(symTabName)) {
- mDynSymOffset = sh_offset;
- mDynSymSize = sh_size;
+ Symbol(String name, int st_info) {
+ this.name = name;
+ this.bind = (st_info >> 4) & 0x0F;
+ this.type = st_info & 0x0F;
}
- } else if (sh_type == SHT_STRTAB) {
- final String strTabName = readShStrTabEntry(sh_name);
- if (".strtab".equals(strTabName)) {
- mStrTabOffset = sh_offset;
- mStrTabSize = sh_size;
- } else if (".dynstr".equals(strTabName)) {
- mDynStrOffset = sh_offset;
- mDynStrSize = sh_size;
+
+ @Override
+ public String toString() {
+ return "Symbol[" + name + "," + toBind() + "," + toType() + "]";
}
- } else if (sh_type == SHT_DYNAMIC) {
- mIsDynamic = true;
- }
- }
- }
- private void readProgramHeaders(long ph_off, int e_phnum, int e_phentsize) throws IOException {
- for (int i = 0; i < e_phnum; ++i) {
- mFile.seek(ph_off + i * e_phentsize);
-
- long p_type = readWord();
- if (p_type == PT_LOAD) {
- if (mAddrSize == 8) {
- long p_flags = readWord(); // Only in Elf64_phdr; in Elf32_phdr p_flags is at the end.
+ private String toBind() {
+ switch (bind) {
+ case STB_LOCAL:
+ return "LOCAL";
+ case STB_GLOBAL:
+ return "GLOBAL";
+ case STB_WEAK:
+ return "WEAK";
+ }
+ return "STB_??? (" + bind + ")";
}
- long p_offset = readOff();
- long p_vaddr = readAddr();
- // ...
- if (p_vaddr == 0) {
- mIsPIE = true;
+ private String toType() {
+ switch (type) {
+ case STT_NOTYPE:
+ return "NOTYPE";
+ case STT_OBJECT:
+ return "OBJECT";
+ case STT_FUNC:
+ return "FUNC";
+ case STT_SECTION:
+ return "SECTION";
+ case STT_FILE:
+ return "FILE";
+ case STT_COMMON:
+ return "COMMON";
+ case STT_TLS:
+ return "TLS";
+ }
+ return "STT_??? (" + type + ")";
}
- }
- }
- }
-
- private HashMap<String, Symbol> readSymbolTable(long symStrOffset, long symStrSize,
- long tableOffset, long tableSize) throws IOException {
- HashMap<String, Symbol> result = new HashMap<String, Symbol>();
- mFile.seek(tableOffset);
- while (mFile.getFilePointer() < tableOffset + tableSize) {
- long st_name = readWord();
- int st_info;
- if (mAddrSize == 8) {
- st_info = readByte();
- int st_other = readByte();
- int st_shndx = readHalf();
- long st_value = readAddr();
- long st_size = readX(mAddrSize);
- } else {
- long st_value = readAddr();
- long st_size = readWord();
- st_info = readByte();
- int st_other = readByte();
- int st_shndx = readHalf();
- }
- if (st_name == 0) {
- continue;
- }
-
- final String symName = readStrTabEntry(symStrOffset, symStrSize, st_name);
- if (symName != null) {
- Symbol s = new Symbol(symName, st_info);
- result.put(symName, s);
- }
- }
- return result;
- }
-
- private String readShStrTabEntry(long strOffset) throws IOException {
- if (mShStrTabOffset == 0 || strOffset < 0 || strOffset >= mShStrTabSize) {
- return null;
- }
- return readString(mShStrTabOffset + strOffset);
- }
-
- private String readStrTabEntry(long tableOffset, long tableSize, long strOffset) throws IOException {
- if (tableOffset == 0 || strOffset < 0 || strOffset >= tableSize) {
- return null;
- }
- return readString(tableOffset + strOffset);
- }
-
- private int readHalf() throws IOException {
- return (int) readX(2);
- }
-
- private long readWord() throws IOException {
- return readX(4);
- }
-
- private long readOff() throws IOException {
- return readX(mAddrSize);
- }
-
- private long readAddr() throws IOException {
- return readX(mAddrSize);
- }
-
- private long readX(int byteCount) throws IOException {
- mFile.readFully(mBuffer, 0, byteCount);
-
- int answer = 0;
- if (mEndian == ELFDATA2LSB) {
- for (int i = byteCount - 1; i >= 0; i--) {
- answer = (answer << 8) | (mBuffer[i] & 0xff);
- }
- } else {
- final int N = byteCount - 1;
- for (int i = 0; i <= N; ++i) {
- answer = (answer << 8) | (mBuffer[i] & 0xff);
- }
}
- return answer;
- }
+ private final String mPath;
+ private final RandomAccessFile mFile;
+ private final byte[] mBuffer = new byte[512];
+ private int mEndian;
+ private boolean mIsDynamic;
+ private boolean mIsPIE;
+ private int mType;
+ private int mAddrSize;
- private String readString(long offset) throws IOException {
- long originalOffset = mFile.getFilePointer();
- mFile.seek(offset);
- mFile.readFully(mBuffer, 0, (int) Math.min(mBuffer.length, mFile.length() - offset));
- mFile.seek(originalOffset);
+ /** Symbol Table offset */
+ private long mSymTabOffset;
- for (int i = 0; i < mBuffer.length; ++i) {
- if (mBuffer[i] == 0) {
- return new String(mBuffer, 0, i);
- }
+ /** Symbol Table size */
+ private long mSymTabSize;
+
+ /** Dynamic Symbol Table offset */
+ private long mDynSymOffset;
+
+ /** Dynamic Symbol Table size */
+ private long mDynSymSize;
+
+ /** Section Header String Table offset */
+ private long mShStrTabOffset;
+
+ /** Section Header String Table size */
+ private long mShStrTabSize;
+
+ /** String Table offset */
+ private long mStrTabOffset;
+
+ /** String Table size */
+ private long mStrTabSize;
+
+ /** Dynamic String Table offset */
+ private long mDynStrOffset;
+
+ /** Dynamic String Table size */
+ private long mDynStrSize;
+
+ /** Symbol Table symbol names */
+ private Map<String, Symbol> mSymbols;
+
+ /** Dynamic Symbol Table symbol names */
+ private Map<String, Symbol> mDynamicSymbols;
+
+ public static ReadElf read(File file) throws IOException {
+ return new ReadElf(file);
}
- return null;
- }
+ public static void main(String[] args) throws IOException {
+ for (String arg : args) {
+ ReadElf re = new ReadElf(new File(arg));
+ re.getSymbol("x");
+ re.getDynamicSymbol("x");
+ re.close();
+ }
+ }
- private int readByte() throws IOException {
- return mFile.read() & 0xff;
- }
+ public boolean isDynamic() {
+ return mIsDynamic;
+ }
- public Symbol getSymbol(String name) {
- if (mSymbols == null) {
- try {
- mSymbols = readSymbolTable(mStrTabOffset, mStrTabSize, mSymTabOffset, mSymTabSize);
- } catch (IOException e) {
+ public int getType() {
+ return mType;
+ }
+
+ public boolean isPIE() {
+ return mIsPIE;
+ }
+
+ private ReadElf(File file) throws IOException {
+ mPath = file.getPath();
+ mFile = new RandomAccessFile(file, "r");
+
+ if (mFile.length() < EI_NIDENT) {
+ throw new IllegalArgumentException("Too small to be an ELF file: " + file);
+ }
+
+ readHeader();
+ }
+
+ @Override
+ public void close() {
+ try {
+ mFile.close();
+ } catch (IOException ignored) {
+ }
+ }
+
+ @Override
+ protected void finalize() throws Throwable {
+ try {
+ close();
+ } finally {
+ super.finalize();
+ }
+ }
+
+ private void readHeader() throws IOException {
+ mFile.seek(0);
+ mFile.readFully(mBuffer, 0, EI_NIDENT);
+
+ if (mBuffer[0] != ELFMAG[0] || mBuffer[1] != ELFMAG[1] ||
+ mBuffer[2] != ELFMAG[2] || mBuffer[3] != ELFMAG[3]) {
+ throw new IllegalArgumentException("Invalid ELF file: " + mPath);
+ }
+
+ int elfClass = mBuffer[EI_CLASS];
+ if (elfClass == ELFCLASS32) {
+ mAddrSize = 4;
+ } else if (elfClass == ELFCLASS64) {
+ mAddrSize = 8;
+ } else {
+ throw new IOException("Invalid ELF EI_CLASS: " + elfClass + ": " + mPath);
+ }
+
+ mEndian = mBuffer[EI_DATA];
+ if (mEndian == ELFDATA2LSB) {
+ } else if (mEndian == ELFDATA2MSB) {
+ throw new IOException("Unsupported ELFDATA2MSB file: " + mPath);
+ } else {
+ throw new IOException("Invalid ELF EI_DATA: " + mEndian + ": " + mPath);
+ }
+
+ mType = readHalf();
+
+ int e_machine = readHalf();
+ if (e_machine != EM_386 && e_machine != EM_X86_64 &&
+ e_machine != EM_AARCH64 && e_machine != EM_ARM &&
+ e_machine != EM_MIPS &&
+ e_machine != EM_QDSP6) {
+ throw new IOException("Invalid ELF e_machine: " + e_machine + ": " + mPath);
+ }
+
+ // AbiTest relies on us rejecting any unsupported combinations.
+ if ((e_machine == EM_386 && elfClass != ELFCLASS32) ||
+ (e_machine == EM_X86_64 && elfClass != ELFCLASS64) ||
+ (e_machine == EM_AARCH64 && elfClass != ELFCLASS64) ||
+ (e_machine == EM_ARM && elfClass != ELFCLASS32) ||
+ (e_machine == EM_QDSP6 && elfClass != ELFCLASS32)) {
+ throw new IOException("Invalid e_machine/EI_CLASS ELF combination: " +
+ e_machine + "/" + elfClass + ": " + mPath);
+ }
+
+ long e_version = readWord();
+ if (e_version != EV_CURRENT) {
+ throw new IOException("Invalid e_version: " + e_version + ": " + mPath);
+ }
+
+ long e_entry = readAddr();
+
+ long ph_off = readOff();
+ long sh_off = readOff();
+
+ long e_flags = readWord();
+ int e_ehsize = readHalf();
+ int e_phentsize = readHalf();
+ int e_phnum = readHalf();
+ int e_shentsize = readHalf();
+ int e_shnum = readHalf();
+ int e_shstrndx = readHalf();
+
+ readSectionHeaders(sh_off, e_shnum, e_shentsize, e_shstrndx);
+ readProgramHeaders(ph_off, e_phnum, e_phentsize);
+ }
+
+ private void readSectionHeaders(long sh_off, int e_shnum, int e_shentsize, int e_shstrndx)
+ throws IOException {
+ // Read the Section Header String Table offset first.
+ {
+ mFile.seek(sh_off + e_shstrndx * e_shentsize);
+
+ long sh_name = readWord();
+ long sh_type = readWord();
+ long sh_flags = readX(mAddrSize);
+ long sh_addr = readAddr();
+ long sh_offset = readOff();
+ long sh_size = readX(mAddrSize);
+ // ...
+
+ if (sh_type == SHT_STRTAB) {
+ mShStrTabOffset = sh_offset;
+ mShStrTabSize = sh_size;
+ }
+ }
+
+ for (int i = 0; i < e_shnum; ++i) {
+ // Don't bother to re-read the Section Header StrTab.
+ if (i == e_shstrndx) {
+ continue;
+ }
+
+ mFile.seek(sh_off + i * e_shentsize);
+
+ long sh_name = readWord();
+ long sh_type = readWord();
+ long sh_flags = readX(mAddrSize);
+ long sh_addr = readAddr();
+ long sh_offset = readOff();
+ long sh_size = readX(mAddrSize);
+
+ if (sh_type == SHT_SYMTAB || sh_type == SHT_DYNSYM) {
+ final String symTabName = readShStrTabEntry(sh_name);
+ if (".symtab".equals(symTabName)) {
+ mSymTabOffset = sh_offset;
+ mSymTabSize = sh_size;
+ } else if (".dynsym".equals(symTabName)) {
+ mDynSymOffset = sh_offset;
+ mDynSymSize = sh_size;
+ }
+ } else if (sh_type == SHT_STRTAB) {
+ final String strTabName = readShStrTabEntry(sh_name);
+ if (".strtab".equals(strTabName)) {
+ mStrTabOffset = sh_offset;
+ mStrTabSize = sh_size;
+ } else if (".dynstr".equals(strTabName)) {
+ mDynStrOffset = sh_offset;
+ mDynStrSize = sh_size;
+ }
+ } else if (sh_type == SHT_DYNAMIC) {
+ mIsDynamic = true;
+ }
+ }
+ }
+
+ private void readProgramHeaders(long ph_off, int e_phnum, int e_phentsize) throws IOException {
+ for (int i = 0; i < e_phnum; ++i) {
+ mFile.seek(ph_off + i * e_phentsize);
+
+ long p_type = readWord();
+ if (p_type == PT_LOAD) {
+ if (mAddrSize == 8) {
+ // Only in Elf64_phdr; in Elf32_phdr p_flags is at the end.
+ long p_flags = readWord();
+ }
+ long p_offset = readOff();
+ long p_vaddr = readAddr();
+ // ...
+
+ if (p_vaddr == 0) {
+ mIsPIE = true;
+ }
+ }
+ }
+ }
+
+ private HashMap<String, Symbol> readSymbolTable(long symStrOffset, long symStrSize,
+ long tableOffset, long tableSize) throws IOException {
+ HashMap<String, Symbol> result = new HashMap<String, Symbol>();
+ mFile.seek(tableOffset);
+ while (mFile.getFilePointer() < tableOffset + tableSize) {
+ long st_name = readWord();
+ int st_info;
+ if (mAddrSize == 8) {
+ st_info = readByte();
+ int st_other = readByte();
+ int st_shndx = readHalf();
+ long st_value = readAddr();
+ long st_size = readX(mAddrSize);
+ } else {
+ long st_value = readAddr();
+ long st_size = readWord();
+ st_info = readByte();
+ int st_other = readByte();
+ int st_shndx = readHalf();
+ }
+ if (st_name == 0) {
+ continue;
+ }
+
+ final String symName = readStrTabEntry(symStrOffset, symStrSize, st_name);
+ if (symName != null) {
+ Symbol s = new Symbol(symName, st_info);
+ result.put(symName, s);
+ }
+ }
+ return result;
+ }
+
+ private String readShStrTabEntry(long strOffset) throws IOException {
+ if (mShStrTabOffset == 0 || strOffset < 0 || strOffset >= mShStrTabSize) {
+ return null;
+ }
+ return readString(mShStrTabOffset + strOffset);
+ }
+
+ private String readStrTabEntry(long tableOffset, long tableSize, long strOffset)
+ throws IOException {
+ if (tableOffset == 0 || strOffset < 0 || strOffset >= tableSize) {
+ return null;
+ }
+ return readString(tableOffset + strOffset);
+ }
+
+ private int readHalf() throws IOException {
+ return (int) readX(2);
+ }
+
+ private long readWord() throws IOException {
+ return readX(4);
+ }
+
+ private long readOff() throws IOException {
+ return readX(mAddrSize);
+ }
+
+ private long readAddr() throws IOException {
+ return readX(mAddrSize);
+ }
+
+ private long readX(int byteCount) throws IOException {
+ mFile.readFully(mBuffer, 0, byteCount);
+
+ int answer = 0;
+ if (mEndian == ELFDATA2LSB) {
+ for (int i = byteCount - 1; i >= 0; i--) {
+ answer = (answer << 8) | (mBuffer[i] & 0xff);
+ }
+ } else {
+ final int N = byteCount - 1;
+ for (int i = 0; i <= N; ++i) {
+ answer = (answer << 8) | (mBuffer[i] & 0xff);
+ }
+ }
+
+ return answer;
+ }
+
+ private String readString(long offset) throws IOException {
+ long originalOffset = mFile.getFilePointer();
+ mFile.seek(offset);
+ mFile.readFully(mBuffer, 0, (int) Math.min(mBuffer.length, mFile.length() - offset));
+ mFile.seek(originalOffset);
+
+ for (int i = 0; i < mBuffer.length; ++i) {
+ if (mBuffer[i] == 0) {
+ return new String(mBuffer, 0, i);
+ }
+ }
+
return null;
- }
}
- return mSymbols.get(name);
- }
- public Symbol getDynamicSymbol(String name) {
- if (mDynamicSymbols == null) {
- try {
- mDynamicSymbols = readSymbolTable(mDynStrOffset, mDynStrSize, mDynSymOffset, mDynSymSize);
- } catch (IOException e) {
- return null;
- }
+ private int readByte() throws IOException {
+ return mFile.read() & 0xff;
}
- return mDynamicSymbols.get(name);
- }
+
+ public Symbol getSymbol(String name) {
+ if (mSymbols == null) {
+ try {
+ mSymbols = readSymbolTable(mStrTabOffset, mStrTabSize, mSymTabOffset, mSymTabSize);
+ } catch (IOException e) {
+ return null;
+ }
+ }
+ return mSymbols.get(name);
+ }
+
+ public Symbol getDynamicSymbol(String name) {
+ if (mDynamicSymbols == null) {
+ try {
+ mDynamicSymbols = readSymbolTable(
+ mDynStrOffset, mDynStrSize, mDynSymOffset, mDynSymSize);
+ } catch (IOException e) {
+ return null;
+ }
+ }
+ return mDynamicSymbols.get(name);
+ }
}
diff --git a/tests/tests/security/Android.mk b/tests/tests/security/Android.mk
index 6a7833d..10ad5f8 100644
--- a/tests/tests/security/Android.mk
+++ b/tests/tests/security/Android.mk
@@ -40,7 +40,7 @@
include $(BUILD_CTS_PACKAGE)
selinux_policy.xml := $(sepolicy_asset_dir)/selinux_policy.xml
-selinux_policy_parser := packages/experimental/SELinux/CTS/src/gen_SELinux_CTS.py
+selinux_policy_parser := cts/tools/selinux/src/gen_SELinux_CTS.py
general_sepolicy_policy.conf := $(call intermediates-dir-for,ETC,general_sepolicy.conf)/general_sepolicy.conf
$(selinux_policy.xml): PRIVATE_POLICY_PARSER := $(selinux_policy_parser)
$(selinux_policy.xml): $(general_sepolicy_policy.conf) $(selinux_policy_parser)
diff --git a/tools/selinux/src/SELinux_CTS.py b/tools/selinux/src/SELinux_CTS.py
new file mode 100644
index 0000000..ec12be0
--- /dev/null
+++ b/tools/selinux/src/SELinux_CTS.py
@@ -0,0 +1,542 @@
+import pdb
+import re
+from xml.etree.ElementTree import Element, SubElement, tostring
+
+#define equivalents
+TYPE = 0
+ATTRIBUTE = 1
+TYPEATTRIBUTE = 2
+CLASS = 3
+COMMON = 4
+ALLOW_RULE = 5
+NEVERALLOW_RULE = 6
+OTHER = 7
+
+#define helper methods
+# advance_past_whitespace(): helper function to skip whitespace at current
+# position in file.
+# returns: the non-whitespace character at the file's new position
+#TODO: should I deal with comments here as well?
+def advance_past_whitespace(file_obj):
+ c = file_obj.read(1)
+ while c.isspace():
+ c = file_obj.read(1)
+ file_obj.seek(-1, 1)
+ return c
+
+# advance_until_whitespace(): helper function to grab the string represented
+# by the current position in file until next whitespace.
+# returns: string until next whitespace. overlooks comments.
+def advance_until_whitespace(file_obj):
+ ret_string = ""
+ c = file_obj.read(1)
+ #TODO: make a better way to deal with ':' and ';'
+ while not (c.isspace() or c == ':' or c == '' or c == ';'):
+ #don't count comments
+ if c == '#':
+ file_obj.readline()
+ return ret_string
+ else:
+ ret_string+=c
+ c = file_obj.read(1)
+ if not c == ':':
+ file_obj.seek(-1, 1)
+ return ret_string
+
+# expand_avc_rule - takes a processed avc rule and converts it into a list of
+# 4-tuples for use in an access check of form:
+ # (source_type, target_type, class, permission)
+def expand_avc_rule(policy, avc_rule):
+ ret_list = [ ]
+
+ #expand source_types
+ source_types = avc_rule['source_types']['set']
+ source_types = policy.expand_types(source_types)
+ if(avc_rule['source_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ source_types = policy.types - source_types #complement these types
+ if len(source_types) == 0:
+ print "ERROR: source_types empty after expansion"
+ print "Before: "
+ print avc_rule['source_types']['set']
+ return
+
+ #expand target_types
+ target_types = avc_rule['target_types']['set']
+ target_types = policy.expand_types(target_types)
+ if(avc_rule['target_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ target_types = policy.types - target_types #complement these types
+ if len(target_types) == 0:
+ print "ERROR: target_types empty after expansion"
+ print "Before: "
+ print avc_rule['target_types']['set']
+ return
+
+ # get classes
+ rule_classes = avc_rule['classes']['set']
+ if '' in rule_classes:
+ print "FOUND EMPTY STRING IN CLASSES"
+ print "Total sets:"
+ print avc_rule['source_types']['set']
+ print avc_rule['target_types']['set']
+ print rule_classes
+ print avc_rule['permissions']['set']
+
+ if len(rule_classes) == 0:
+ print "ERROR: empy set of object classes in avc rule"
+ return
+
+ # get permissions
+ permissions = avc_rule['permissions']['set']
+ if len(permissions) == 0:
+ print "ERROR: empy set of permissions in avc rule\n"
+ return
+
+ #create the list with collosal nesting, n^4 baby!
+ for s in source_types:
+ for t in target_types:
+ for c in rule_classes:
+ if c == '':
+ continue
+ #expand permissions on a per-class basis
+ exp_permissions = policy.expand_permissions(c, permissions)
+ if(avc_rule['permissions']['flags']['complement']):
+ exp_permissions = policy.classes[c] - exp_permissions
+ if len(exp_permissions) == 0:
+ print "ERROR: permissions empty after expansion\n"
+ print "Before: "
+ print avc_rule['permissions']['set']
+ return
+ for p in exp_permissions:
+ source = s
+ if t == 'self':
+ target = s
+ else:
+ target = t
+ obj_class = c
+ permission = p
+ ret_list.append((source, target, obj_class, permission))
+ return ret_list
+
+# expand_avc_rule - takes a processed avc rule and converts it into an xml
+# representation with the information needed in a checkSELinuxAccess() call.
+# (source_type, target_type, class, permission)
+def expand_avc_rule_to_xml(policy, avc_rule, rule_name, rule_type):
+ rule_xml = Element('avc_rule')
+ rule_xml.set('name', rule_name)
+ rule_xml.set('type', rule_type)
+
+ #expand source_types
+ source_types = avc_rule['source_types']['set']
+ source_types = policy.expand_types(source_types)
+ if(avc_rule['source_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ source_types = policy.types - source_types #complement these types
+ if len(source_types) == 0:
+ print "ERROR: source_types empty after expansion"
+ print "Before: "
+ print avc_rule['source_types']['set']
+ return
+ for s in source_types:
+ elem = SubElement(rule_xml, 'type')
+ elem.set('type', 'source')
+ elem.text = s
+
+ #expand target_types
+ target_types = avc_rule['target_types']['set']
+ target_types = policy.expand_types(target_types)
+ if(avc_rule['target_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ target_types = policy.types - target_types #complement these types
+ if len(target_types) == 0:
+ print "ERROR: target_types empty after expansion"
+ print "Before: "
+ print avc_rule['target_types']['set']
+ return
+ for t in target_types:
+ elem = SubElement(rule_xml, 'type')
+ elem.set('type', 'target')
+ elem.text = t
+
+ # get classes
+ rule_classes = avc_rule['classes']['set']
+
+ if len(rule_classes) == 0:
+ print "ERROR: empy set of object classes in avc rule"
+ return
+
+ # get permissions
+ permissions = avc_rule['permissions']['set']
+ if len(permissions) == 0:
+ print "ERROR: empy set of permissions in avc rule\n"
+ return
+
+ # permissions are class-dependent, so bundled together
+ for c in rule_classes:
+ if c == '':
+ print "AH!!! empty class found!\n"
+ continue
+ c_elem = SubElement(rule_xml, 'obj_class')
+ c_elem.set('name', c)
+ #expand permissions on a per-class basis
+ exp_permissions = policy.expand_permissions(c, permissions)
+ if(avc_rule['permissions']['flags']['complement']):
+ exp_permissions = policy.classes[c] - exp_permissions
+ if len(exp_permissions) == 0:
+ print "ERROR: permissions empty after expansion\n"
+ print "Before: "
+ print avc_rule['permissions']['set']
+ return
+
+ for p in exp_permissions:
+ p_elem = SubElement(c_elem, 'permission')
+ p_elem.text = p
+
+ return rule_xml
+
+# expand_brackets - helper function which reads a file into a string until '{ }'s
+# are balanced. Brackets are removed from the string. This function is based
+# on the understanding that nested brackets in our policy.conf file occur only due
+# to macro expansion, and we just need to know how much is included in a given
+# policy sub-component.
+def expand_brackets(file_obj):
+ ret_string = ""
+ c = file_obj.read(1)
+ if not c == '{':
+ print "Invalid bracket expression: " + c + "\n"
+ file_obj.seek(-1, 1)
+ return ""
+ else:
+ bracket_count = 1
+ while bracket_count > 0:
+ c = file_obj.read(1)
+ if c == '{':
+ bracket_count+=1
+ elif c == '}':
+ bracket_count-=1
+ elif c == '#':
+ #get rid of comment and replace with whitespace
+ file_obj.readline()
+ ret_string+=' '
+ else:
+ ret_string+=c
+ return ret_string
+
+# get_avc_rule_component - grabs the next component from an avc rule. Basically,
+# just reads the next word or bracketed set of words.
+# returns - a set of the word, or words with metadata
+def get_avc_rule_component(file_obj):
+ ret_dict = { 'flags': {}, 'set': set() }
+ c = advance_past_whitespace(file_obj)
+ if c == '~':
+ ret_dict['flags']['complement'] = True
+ file_obj.read(1) #move to next char
+ c = advance_past_whitespace(file_obj)
+ else:
+ ret_dict['flags']['complement'] = False
+ if not c == '{':
+ #TODO: change operations on file to operations on string?
+ single_type = advance_until_whitespace(file_obj)
+ ret_dict['set'].add(single_type)
+ else:
+ mult_types = expand_brackets(file_obj)
+ mult_types = mult_types.split()
+ for t in mult_types:
+ ret_dict['set'].add(t)
+ return ret_dict
+
+def get_line_type(line):
+ if re.search(r'^type\s', line):
+ return TYPE
+ if re.search(r'^attribute\s', line):
+ return ATTRIBUTE
+ if re.search(r'^typeattribute\s', line):
+ return TYPEATTRIBUTE
+ if re.search(r'^class\s', line):
+ return CLASS
+ if re.search(r'^common\s', line):
+ return COMMON
+ if re.search(r'^allow\s', line):
+ return ALLOW_RULE
+ if re.search(r'^neverallow\s', line):
+ return NEVERALLOW_RULE
+ else:
+ return OTHER
+
+def is_multi_line(line_type):
+ if line_type == CLASS:
+ return True
+ elif line_type == COMMON:
+ return True
+ elif line_type == ALLOW_RULE:
+ return True
+ elif line_type == NEVERALLOW_RULE:
+ return True
+ else:
+ return False
+
+
+#should only be called with file pointing to the 'i' in 'inherits' segment
+def process_inherits_segment(file_obj):
+ inherit_keyword = file_obj.read(8)
+ if not inherit_keyword == 'inherits':
+ #TODO: handle error, invalid class statement
+ print "ERROR: invalid inherits statement"
+ return
+ else:
+ advance_past_whitespace(file_obj)
+ ret_inherited_common = advance_until_whitespace(file_obj)
+ return ret_inherited_common
+
+class SELinuxPolicy:
+
+ def __init__(self):
+ self.types = set()
+ self.attributes = { }
+ self.classes = { }
+ self.common_classes = { }
+ self.allow_rules = [ ]
+ self.neverallow_rules = [ ]
+
+ # create policy directly from policy file
+ #@classmethod
+ def from_file_name(self, policy_file_name):
+ self.types = set()
+ self.attributes = { }
+ self.classes = { }
+ self.common_classes = { }
+ self.allow_rules = [ ]
+ self.neverallow_rules = [ ]
+ with open(policy_file_name, 'r') as policy_file:
+ line = policy_file.readline()
+ while line:
+ line_type = get_line_type(line)
+ if is_multi_line(line_type):
+ self.parse_multi_line(line, line_type, policy_file)
+ else:
+ self.parse_single_line(line, line_type)
+ line = policy_file.readline()
+
+ # expand_permissions - generates the actual permission set based on the listed
+ # permissions with wildcards and the given class on which they're based.
+ def expand_permissions(self, obj_class, permission_set):
+ ret_set = set()
+ neg_set = set()
+ for p in permission_set:
+ if p[0] == '-':
+ real_p = p[1:]
+ if real_p in self.classes[obj_class]:
+ neg_set.add(real_p)
+ else:
+ print "ERROR: invalid permission in avc rule " + real_t + "\n"
+ return
+ else:
+ if p in self.classes[obj_class]:
+ ret_set.add(p)
+ elif p == '*': #pretty sure this can't be negated? eg -*
+ ret_set |= self.classes[obj_class] #All of the permissions
+ else:
+ print "ERROR: invalid permission in avc rule " + p + "\n"
+ return
+ return ret_set - neg_set
+
+ # expand_types - generates the actual type set based on the listed types,
+ # attributes, wildcards and negation. self is left as-is, and is processed
+ # specially when generating checkAccess() 4-tuples
+ def expand_types(self, type_set):
+ ret_set = set()
+ neg_set = set()
+ for t in type_set:
+ if t[0] == '-':
+ real_t = t[1:]
+ if real_t in self.attributes:
+ neg_set |= self.attributes[real_t]
+ elif real_t in self.types:
+ neg_set.add(real_t)
+ elif real_t == 'self':
+ ret_set |= real_t
+ else:
+ print "ERROR: invalid type in avc rule " + real_t + "\nTYPE SET:"
+ print type_set
+ return
+ else:
+ if t in self.attributes:
+ ret_set |= self.attributes[t]
+ elif t in self.types:
+ ret_set.add(t)
+ elif t == 'self':
+ ret_set.add(t)
+ elif t == '*': #pretty sure this can't be negated?
+ ret_set |= self.types #All of the types
+ else:
+ print "ERROR: invalid type in avc rule " + t + "\nTYPE SET"
+ print type_set
+ return
+ return ret_set - neg_set
+
+ def parse_multi_line(self, line, line_type, file_obj):
+ if line_type == CLASS:
+ self.process_class_line(line, file_obj)
+ elif line_type == COMMON:
+ self.process_common_line(line, file_obj)
+ elif line_type == ALLOW_RULE:
+ self.process_avc_rule_line(line, file_obj)
+ elif line_type == NEVERALLOW_RULE:
+ self.process_avc_rule_line(line, file_obj)
+ else:
+ print "Error: This is not a multi-line input"
+
+ def parse_single_line(self, line, line_type):
+ if line_type == TYPE:
+ self.process_type_line(line)
+ elif line_type == ATTRIBUTE:
+ self.process_attribute_line(line)
+ elif line_type == TYPEATTRIBUTE:
+ self.process_typeattribute_line(line)
+ return
+
+ def process_attribute_line(self, line):
+ match = re.search(r'^attribute\s+(.+);', line)
+ if match:
+ declared_attribute = match.group(1)
+ self.attributes[declared_attribute] = set()
+ else:
+ #TODO: handle error? (no state changed)
+ return
+
+ def process_class_line(self, line, file_obj):
+ match = re.search(r'^class\s([^\s]+)\s(.*$)', line)
+ if match:
+ declared_class = match.group(1)
+ #first class declaration has no perms
+ if not declared_class in self.classes:
+ self.classes[declared_class] = set()
+ return
+ else:
+ #need to parse file from after class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+ c = advance_past_whitespace(file_obj)
+ if not (c == 'i' or c == '{'):
+ print "ERROR: invalid class statement"
+ return
+ elif c == 'i':
+ #add inherited permissions
+ inherited = process_inherits_segment(file_obj)
+ self.classes[declared_class] |= self.common_classes[inherited]
+ c = advance_past_whitespace(file_obj)
+ if c == '{':
+ permissions = expand_brackets(file_obj)
+ permissions = re.sub(r'#[^\n]*\n','\n' , permissions) #get rid of all comments
+ permissions = permissions.split()
+ for p in permissions:
+ self.classes[declared_class].add(p)
+
+ def process_common_line(self, line, file_obj):
+ match = re.search(r'^common\s([^\s]+)(.*$)', line)
+ if match:
+ declared_common_class = match.group(1)
+ #TODO: common classes should only be declared once...
+ if not declared_common_class in self.common_classes:
+ self.common_classes[declared_common_class] = set()
+ #need to parse file from after common_class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+ c = advance_past_whitespace(file_obj)
+ if not c == '{':
+ print "ERROR: invalid common statement"
+ return
+ permissions = expand_brackets(file_obj)
+ permissions = permissions.split()
+ for p in permissions:
+ self.common_classes[declared_common_class].add(p)
+ return
+
+ def process_avc_rule_line(self, line, file_obj):
+ match = re.search(r'^(never)?allow\s(.*$)', line)
+ if match:
+ if(match.group(1)):
+ rule_type = 'neverallow'
+ else:
+ rule_type = 'allow'
+ #need to parse file from after class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+
+ #grab source type(s)
+ source_types = get_avc_rule_component(file_obj)
+ if len(source_types['set']) == 0:
+ print "ERROR: no source types for avc rule at line: " + line
+ return
+
+ #grab target type(s)
+ target_types = get_avc_rule_component(file_obj)
+ if len(target_types['set']) == 0:
+ print "ERROR: no target types for avc rule at line: " + line
+ return
+
+ #skip ':' potentially already handled by advance_until_whitespace
+ c = advance_past_whitespace(file_obj)
+ if c == ':':
+ file_obj.read(1)
+
+ #grab class(es)
+ classes = get_avc_rule_component(file_obj)
+ if len(classes['set']) == 0:
+ print "ERROR: no classes for avc rule at line: " + line
+ return
+
+ #grab permission(s)
+ permissions = get_avc_rule_component(file_obj)
+ if len(permissions['set']) == 0:
+ print "ERROR: no permissions for avc rule at line: " + line
+ return
+ rule_dict = {
+ 'source_types': source_types,
+ 'target_types': target_types,
+ 'classes': classes,
+ 'permissions': permissions }
+
+ if rule_type == 'allow':
+ self.allow_rules.append(rule_dict)
+ elif rule_type == 'neverallow':
+ self.neverallow_rules.append(rule_dict)
+
+ def process_type_line(self, line):
+ #TODO: add support for aliases (not yet in current policy.conf)
+ match = re.search(r'^type\s([^,]+),?(.*);', line)
+ if match:
+ declared_type = match.group(1)
+ self.types.add(declared_type)
+ if match.group(2):
+ declared_attributes = match.group(2)
+ declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
+ declared_attributes = declared_attributes.split(',') #separate based on delimiter
+ for a in declared_attributes:
+ if not a in self.attributes:
+ #TODO: hanlde error? attribute should already exist
+ self.attributes[a] = set()
+ self.attributes[a].add(declared_type)
+ else:
+ #TODO: handle error? (no state changed)
+ return
+
+ def process_typeattribute_line(self, line):
+ match = re.search(r'^typeattribute\s([^\s]+)\s(.*);', line)
+ if match:
+ declared_type = match.group(1)
+ if not declared_type in self.types:
+ #TODO: handle error? type should already exist
+ self.types.add(declared_type)
+ if match.group(2):
+ declared_attributes = match.group(2)
+ declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
+ declared_attributes = declared_attributes.split(',') #separate based on delimiter
+ for a in declared_attributes:
+ if not a in self.attributes:
+ #TODO: hanlde error? attribute should already exist
+ self.attributes[a] = set()
+ self.attributes[a].add(declared_type)
+ else:
+ return
+ else:
+ #TODO: handle error? (no state changed)
+ return
diff --git a/tools/selinux/src/example_input_policy.conf b/tools/selinux/src/example_input_policy.conf
new file mode 100644
index 0000000..aeef5f8
--- /dev/null
+++ b/tools/selinux/src/example_input_policy.conf
@@ -0,0 +1,9850 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd # userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable # userspace
+class x_screen # userspace
+class x_gc # userspace
+class x_font # userspace
+class x_colormap # userspace
+class x_property # userspace
+class x_selection # userspace
+class x_cursor # userspace
+class x_client # userspace
+class x_device # userspace
+class x_server # userspace
+class x_extension # userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus # userspace
+class nscd # userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context # userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database # userspace
+class db_table # userspace
+class db_procedure # userspace
+class db_column # userspace
+class db_tuple # userspace
+class db_blob # userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource # userspace
+class x_event # userspace
+class x_synthetic_event # userspace
+class x_application_data # userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
+# More Database stuff
+class db_schema # userspace
+class db_view # userspace
+class db_sequence # userspace
+class db_language # userspace
+
+class binder
+class zygote
+
+# Property service
+class property_service # userspace
+
+# FLASK
+#line 1 "external/sepolicy/initial_sids"
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
+#line 1 "external/sepolicy/access_vectors"
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+ create
+ drop
+ getattr
+ setattr
+ relabelfrom
+ relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+ dccp_recv
+ dccp_send
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ dccp_recv
+ dccp_send
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+class capability2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+ create
+ destroy
+ read
+ write
+ blend
+ getattr
+ setattr
+ list_child
+ add_child
+ remove_child
+ list_property
+ get_property
+ set_property
+ manage
+ override
+ show
+ hide
+ send
+ receive
+}
+
+class x_screen
+{
+ getattr
+ setattr
+ hide_cursor
+ show_cursor
+ saver_getattr
+ saver_setattr
+ saver_hide
+ saver_show
+}
+
+class x_gc
+{
+ create
+ destroy
+ getattr
+ setattr
+ use
+}
+
+class x_font
+{
+ create
+ destroy
+ getattr
+ add_glyph
+ remove_glyph
+ use
+}
+
+class x_colormap
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ add_color
+ remove_color
+ install
+ uninstall
+ use
+}
+
+class x_property
+{
+ create
+ destroy
+ read
+ write
+ append
+ getattr
+ setattr
+}
+
+class x_selection
+{
+ read
+ write
+ getattr
+ setattr
+}
+
+class x_cursor
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ setattr
+ use
+}
+
+class x_client
+{
+ destroy
+ getattr
+ setattr
+ manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+ getattr
+ setattr
+ record
+ debug
+ grab
+ manage
+}
+
+class x_extension
+{
+ query
+ use
+}
+
+class x_resource
+{
+ read
+ write
+}
+
+class x_event
+{
+ send
+ receive
+}
+
+class x_synthetic_event
+{
+ send
+ receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+ getserv
+ shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class context
+{
+ translate
+ contains
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+class db_database
+inherits database
+{
+ access
+ install_module
+ load_module
+ get_param # deprecated
+ set_param # deprecated
+}
+
+class db_table
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+ delete
+ lock
+}
+
+class db_procedure
+inherits database
+{
+ execute
+ entrypoint
+ install
+}
+
+class db_column
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+}
+
+class db_tuple
+{
+ relabelfrom
+ relabelto
+ use # deprecated
+ select
+ update
+ insert
+ delete
+}
+
+class db_blob
+inherits database
+{
+ read
+ write
+ import
+ export
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class x_application_data
+{
+ paste
+ paste_after_confirm
+ copy
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+ search
+ add_name
+ remove_name
+}
+
+class db_view
+inherits database
+{
+ expand
+}
+
+class db_sequence
+inherits database
+{
+ get_value
+ next_value
+ set_value
+}
+
+class db_language
+inherits database
+{
+ implement
+ execute
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class zygote
+{
+ specifyids
+ specifyrlimits
+ specifycapabilities
+ specifyinvokewith
+ specifyseinfo
+}
+
+class property_service
+{
+ set
+}
+#line 1 "external/sepolicy/global_macros"
+#####################################
+# Common groupings of object classes.
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#####################################
+# Common groupings of permissions.
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#####################################
+# Common socket permission sets.
+
+
+#line 1 "external/sepolicy/mls_macros"
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+#line 10
+
+
+
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+#line 24
+
+
+
+
+#line 34
+
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+#line 45
+
+
+
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+
+
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: No write down unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be dominated by receiver unless one of them is
+# trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be dominated by the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a MLS trusted subject and can receive data at any level.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+#
+# IPC constraints
+#
+
+# Create/destroy: equivalence or trusted.
+mlsconstrain { sem msgq shm ipc } { create destroy }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+# Read ops: No read up unless trusted.
+mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Write ops: No write down unless trusted.
+mlsconstrain { sem msgq shm ipc } { write unix_write }
+ (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+#line 1 "external/sepolicy/policy_capabilities"
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+#line 1 "external/sepolicy/te_macros"
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+#line 21
+
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+#line 33
+
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+#line 49
+
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+#line 62
+
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+#line 71
+
+
+#####################################
+# unconfined_domain(domain)
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
+#
+#line 82
+
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+#line 92
+
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+#line 101
+
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+#line 112
+
+
+#####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+#line 119
+
+
+#####################################
+# platform_app_domain(domain)
+# Allow permissions specific to platform apps.
+#line 127
+
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+#line 134
+
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+#line 141
+
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#line 150
+
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+#line 159
+
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+#line 169
+
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+#line 181
+
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+#line 189
+
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+#line 199
+
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+#line 208
+
+
+#####################################
+# selinux_getenforce(domain)
+# Allow domain to check whether SELinux is enforcing.
+#line 216
+
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+#line 225
+
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+#line 234
+
+
+#####################################
+# security_access_policy(domain)
+# Read only access to all policy files and
+# selinuxfs
+#line 248
+
+
+#####################################
+# selinux_manage_policy(domain)
+# Ability to manage policy files and
+# trigger runtime reload.
+#line 261
+
+
+#####################################
+# mmac_manage_policy(domain)
+# Ability to manage mmac policy files,
+# trigger runtime reload, change
+# mmac enforcing mode and access logcat.
+#line 274
+
+
+#####################################
+# access_kmsg(domain)
+# Ability to read from kernel logs
+# and execute the klogctl syscall
+# in a non destructive manner. See
+# man 2 klogctl
+#line 284
+
+
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+#line 295
+
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+#line 309
+
+
+#####################################
+# Non system_app application set
+#
+
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+
+
+#####################################
+# permissive_or_unconfined
+# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
+# and "unconfined($1)" otherwise.
+#
+# This is used for experimental domains, where we want to ensure
+# the domain is unconfined+enforcing once new SELinux policy development
+# has ceased.
+#
+
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+#line 345
+
+
+#####################################
+# read_logd(domain)
+# Ability to read from android
+# log daemon via sockets
+#line 353
+
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+#line 363
+
+#line 1 "external/sepolicy/attributes"
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+attribute fs_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+attribute property_type;
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for shells.
+attribute shelldomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;
+#line 1 "external/sepolicy/adbd.te"
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+
+#line 7
+
+
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow adbd shell_exec:file { getattr open read execute };
+#line 9
+allow adbd shell:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow shell shell_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow shell adbd:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit adbd shell:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow adbd shell:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition adbd shell_exec:process shell;
+#line 9
+
+# this is an entrypoint
+allow adbd rootfs:file entrypoint;
+
+# Do not sanitize the environment or open fds of the shell.
+allow adbd shell:process noatsecure;
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+
+#line 23
+typeattribute adbd netdomain;
+#line 23
+
+
+# Access /dev/android_adb.
+allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# On emulator, access /dev/qemu*.
+allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# adb push/pull sdcard.
+allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Set service.adb.*, sys.powerctl properties.
+
+#line 43
+allow adbd property_socket:sock_file write;
+#line 43
+allow adbd init:unix_stream_socket connectto;
+#line 43
+
+allow adbd shell_prop:property_service set;
+allow adbd powerctl_prop:property_service set;
+
+# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
+# Also covers running /system/bin/bu.
+allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+#line 50
+allow adbd vold_socket:sock_file write;
+#line 50
+allow adbd vold:unix_stream_socket connectto;
+#line 50
+
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+
+#line 54
+# Call the servicemanager and transfer references to it.
+#line 54
+allow adbd servicemanager:binder { call transfer };
+#line 54
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 54
+# all domains in domain.te.
+#line 54
+
+
+#line 55
+# Call the server domain and optionally transfer references to it.
+#line 55
+allow adbd surfaceflinger:binder { call transfer };
+#line 55
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 55
+allow surfaceflinger adbd:binder transfer;
+#line 55
+# Receive and use open files from the server.
+#line 55
+allow adbd surfaceflinger:fd use;
+#line 55
+
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file { getattr open read ioctl lock };
+
+# Allow access in case /data/misc/adb still has the old type.
+allow adbd system_data_file:dir search;
+allow adbd system_data_file:file { getattr open read ioctl lock };
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file { getattr open read ioctl lock };
+allow adbd system_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/app.te"
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
+
+# Allow apps to connect to the keystore
+
+#line 15
+allow appdomain keystore_socket:sock_file write;
+#line 15
+allow appdomain keystore:unix_stream_socket connectto;
+#line 15
+
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+allow appdomain zygote_exec:file { getattr open read ioctl lock };
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow appdomain self:process ptrace;
+
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Communicate with system_server.
+allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } };
+allow appdomain system_server:unix_stream_socket { read write setopt };
+
+#line 42
+# Call the server domain and optionally transfer references to it.
+#line 42
+allow appdomain system_server:binder { call transfer };
+#line 42
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 42
+allow system_server appdomain:binder transfer;
+#line 42
+# Receive and use open files from the server.
+#line 42
+allow appdomain system_server:fd use;
+#line 42
+
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } };
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+
+#line 49
+# Call the server domain and optionally transfer references to it.
+#line 49
+allow appdomain surfaceflinger:binder { call transfer };
+#line 49
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 49
+allow surfaceflinger appdomain:binder transfer;
+#line 49
+# Receive and use open files from the server.
+#line 49
+allow appdomain surfaceflinger:fd use;
+#line 49
+
+
+# App sandbox file accesses.
+allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC. Do not allow open.
+allow appdomain platform_app_data_file:file { getattr read write };
+
+# lib subdirectory of /data/data dir is system-owned.
+allow appdomain system_data_file:dir { open getattr read search ioctl };
+allow appdomain system_data_file:file { execute execute_no_trans open };
+
+# Execute the shell or other system executables.
+allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock };
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute };
+
+# Use the Binder.
+
+#line 90
+# Call the servicemanager and transfer references to it.
+#line 90
+allow appdomain servicemanager:binder { call transfer };
+#line 90
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 90
+# all domains in domain.te.
+#line 90
+
+# Perform binder IPC to binder services.
+
+#line 92
+# Call the server domain and optionally transfer references to it.
+#line 92
+allow appdomain binderservicedomain:binder { call transfer };
+#line 92
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 92
+allow binderservicedomain appdomain:binder transfer;
+#line 92
+# Receive and use open files from the server.
+#line 92
+allow appdomain binderservicedomain:fd use;
+#line 92
+
+# Perform binder IPC to other apps.
+
+#line 94
+# Call the server domain and optionally transfer references to it.
+#line 94
+allow appdomain appdomain:binder { call transfer };
+#line 94
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 94
+allow appdomain appdomain:binder transfer;
+#line 94
+# Receive and use open files from the server.
+#line 94
+allow appdomain appdomain:fd use;
+#line 94
+
+
+# Appdomain interaction with isolated apps
+
+#line 97
+allow appdomain isolated_app:dir { open getattr read search ioctl };
+#line 97
+allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock };
+#line 97
+
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain isolated_app:unix_stream_socket { read write };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file getattr;
+
+# Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
+allow appdomain download_file:file { getattr open read ioctl lock };
+
+# Allow applications to communicate with netd via /dev/socket/dnsproxyd
+# to do DNS resolution
+
+#line 118
+allow appdomain dnsproxyd_socket:sock_file write;
+#line 118
+allow appdomain netd:unix_stream_socket connectto;
+#line 118
+
+
+# Allow applications to communicate with drmserver over binder
+
+#line 121
+# Call the server domain and optionally transfer references to it.
+#line 121
+allow appdomain drmserver:binder { call transfer };
+#line 121
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 121
+allow drmserver appdomain:binder transfer;
+#line 121
+# Receive and use open files from the server.
+#line 121
+allow appdomain drmserver:fd use;
+#line 121
+
+
+# Allow applications to communicate with mediaserver over binder
+
+#line 124
+# Call the server domain and optionally transfer references to it.
+#line 124
+allow appdomain mediaserver:binder { call transfer };
+#line 124
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 124
+allow mediaserver appdomain:binder transfer;
+#line 124
+# Receive and use open files from the server.
+#line 124
+allow appdomain mediaserver:fd use;
+#line 124
+
+
+# Allow applications to make outbound tcp connections to any port
+allow appdomain port_type:tcp_socket name_connect;
+
+# Allow apps to see changes to the routing table.
+allow appdomain self:netlink_route_socket {
+ read
+ bind
+ create
+ nlmsg_read
+ ioctl
+ getattr
+ setattr
+ getopt
+ setopt
+ shutdown
+};
+
+# Allow apps to use rawip sockets. This is needed for apps which execute
+# /system/bin/ping, for example.
+allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow appdomain usb_device:chr_file { read write getattr ioctl };
+allow appdomain usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file { getattr execute execute_no_trans };
+
+###
+### CTS-specific rules
+###
+
+# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+# Reads /proc/pid/cmdline of vold.
+allow appdomain domain:dir { open read search getattr };
+allow appdomain domain:{ file lnk_file } { open read getattr };
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+
+#line 181
+allow appdomain selinuxfs:dir { open getattr read search ioctl };
+#line 181
+allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 181
+allow appdomain kernel:security compute_av;
+#line 181
+allow appdomain self:netlink_selinux_socket *;
+#line 181
+
+
+#line 182
+allow appdomain selinuxfs:dir { open getattr read search ioctl };
+#line 182
+allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 182
+allow appdomain kernel:security check_context;
+#line 182
+
+# Validate that each process is running in the correct security context.
+allow appdomain domain:process getattr;
+
+# logd access
+
+#line 187
+
+#line 187
+allow appdomain logdr_socket:sock_file write;
+#line 187
+allow appdomain logd:unix_stream_socket connectto;
+#line 187
+
+#line 187
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow { appdomain -unconfineddomain } self:capability2 *;
+
+# Block device access.
+neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow { appdomain -unconfineddomain } {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ gps_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell -unconfineddomain }
+ graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
+ { read write };
+neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
+
+# Set SELinux enforcing mode, booleans or any other SELinux settings.
+neverallow { appdomain -unconfineddomain } kernel:security
+ { setenforce setbool setsecparam setcheckreqprot };
+
+# Load security policy.
+neverallow appdomain kernel:security load_policy;
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -unconfineddomain }
+ self:{
+ netlink_socket
+ netlink_firewall_socket
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_ip6fw_socket
+ netlink_dnrt_socket
+ netlink_kobject_uevent_socket
+ } *;
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
+neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
+ property_socket:sock_file write;
+neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
+
+# Write access to /proc/pid entries for any non-app domain.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell domain, can transition to runas, etc.
+neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
+ { transition dyntransition };
+
+# Map low memory.
+# Note: Take to domain.te and apply to all domains in the future.
+neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
+
+# Write to rootfs.
+neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow { appdomain -unconfineddomain } exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+# Exception for system_app for Settings.
+neverallow { appdomain -unconfineddomain -system_app }
+ system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow { appdomain -system_app -unconfineddomain }
+ security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell -unconfineddomain }
+ shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth -unconfineddomain }
+ bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Access to factory files.
+neverallow { appdomain -unconfineddomain }
+ efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write };
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc -unconfineddomain }
+ sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+neverallow { appdomain -unconfineddomain }
+ proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow { appdomain -system_app -unconfineddomain }
+ kernel:system { syslog_read syslog_mod syslog_console };
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
+
+# Ability to set system properties.
+neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
+ property_type:property_service set;
+#line 1 "external/sepolicy/binderservicedomain.te"
+# Rules common to all binder service domains
+
+# Allow dumpstate to collect information from binder services
+allow binderservicedomain dumpstate:fd use;
+allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell
+allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+
+#line 3
+typeattribute bluetooth appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type bluetooth_tmpfs, file_type;
+#line 3
+type_transition bluetooth tmpfs:file bluetooth_tmpfs;
+#line 3
+allow bluetooth bluetooth_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow bluetooth bluetooth_tmpfs:file execute;
+#line 3
+
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# bluetooth factory file accesses.
+
+#line 14
+allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl };
+#line 14
+allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 14
+
+
+# Device accesses.
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Other domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
+allow bluetooth self:capability net_admin;
+
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
+
+# Talk to init over the property socket.
+
+#line 36
+allow bluetooth property_socket:sock_file write;
+#line 36
+allow bluetooth init:unix_stream_socket connectto;
+#line 36
+
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
+
+# bluetooth file transfers
+allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Allow reading of media_rw_data_file file descriptors
+# passed to bluetooth
+allow bluetooth media_rw_data_file:file { read getattr };
+
+# Allow write access to bluetooth specific properties
+allow bluetooth bluetooth_prop:property_service set;
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+#line 1 "external/sepolicy/bootanim.te"
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init bootanim_exec:file { getattr open read execute };
+#line 5
+allow init bootanim:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow bootanim bootanim_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow bootanim init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init bootanim:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init bootanim:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init bootanim_exec:process bootanim;
+#line 5
+
+#line 5
+
+#line 5
+type bootanim_tmpfs, file_type;
+#line 5
+type_transition bootanim tmpfs:file bootanim_tmpfs;
+#line 5
+allow bootanim bootanim_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow bootanim servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+# Call the server domain and optionally transfer references to it.
+#line 8
+allow bootanim surfaceflinger:binder { call transfer };
+#line 8
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 8
+allow surfaceflinger bootanim:binder transfer;
+#line 8
+# Receive and use open files from the server.
+#line 8
+allow bootanim surfaceflinger:fd use;
+#line 8
+
+
+allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/clatd.te"
+# 464xlat daemon
+type clatd, domain;
+
+#line 3
+typeattribute clatd mlstrustedsubject;
+#line 3
+typeattribute clatd unconfineddomain;
+#line 3
+
+type clatd_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init clatd_exec:file { getattr open read execute };
+#line 6
+allow init clatd:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow clatd clatd_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow clatd init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init clatd:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init clatd:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init clatd_exec:process clatd;
+#line 6
+
+#line 6
+
+#line 6
+type clatd_tmpfs, file_type;
+#line 6
+type_transition clatd tmpfs:file clatd_tmpfs;
+#line 6
+allow clatd clatd_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute clatd netdomain;
+#line 7
+
+#line 1 "external/sepolicy/debuggerd.te"
+# debugger interface
+type debuggerd, domain;
+type debuggerd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init debuggerd_exec:file { getattr open read execute };
+#line 5
+allow init debuggerd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow debuggerd debuggerd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow debuggerd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init debuggerd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init debuggerd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init debuggerd_exec:process debuggerd;
+#line 5
+
+#line 5
+
+#line 5
+type debuggerd_tmpfs, file_type;
+#line 5
+type_transition debuggerd tmpfs:file debuggerd_tmpfs;
+#line 5
+allow debuggerd debuggerd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
+allow debuggerd domain:dir { open getattr read search ioctl };
+allow debuggerd domain:file { getattr open read ioctl lock };
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
+
+#line 12
+allow debuggerd security_file:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd security_file:file { getattr open read ioctl lock };
+#line 12
+allow debuggerd security_file:lnk_file { getattr open read ioctl lock };
+#line 12
+allow debuggerd selinuxfs:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd selinuxfs:file { getattr open read ioctl lock };
+#line 12
+allow debuggerd rootfs:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd rootfs:file { getattr open read ioctl lock };
+#line 12
+
+allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow debuggerd system_data_file:dir relabelfrom;
+
+#line 15
+typeattribute debuggerd relabeltodomain;
+#line 15
+
+allow debuggerd tombstone_data_file:dir relabelto;
+allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file { getattr open read ioctl lock };
+# Access app library
+allow debuggerd system_data_file:file open;
+
+# Connect to system_server via /data/system/ndebugsocket.
+
+#line 25
+allow debuggerd system_ndebug_socket:sock_file write;
+#line 25
+allow debuggerd system_server:unix_stream_socket connectto;
+#line 25
+
+
+#line 30
+
+
+# logd access
+
+#line 33
+
+#line 33
+allow debuggerd logdr_socket:sock_file write;
+#line 33
+allow debuggerd logd:unix_stream_socket connectto;
+#line 33
+
+#line 33
+
+#line 1 "external/sepolicy/device.te"
+# Device types
+type device, dev_type, fs_type;
+type alarm_device, dev_type, mlstrustedobject;
+type adb_device, dev_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type loop_device, dev_type;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type fscklogs, dev_type;
+type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type log_device, dev_type, mlstrustedobject;
+type mtd_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type qemu_device, dev_type;
+type kmsg_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type urandom_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type;
+type fuse_device, dev_type;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type gps_device, dev_type;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type;
+type usb_device, dev_type;
+type klog_device, dev_type;
+type properties_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+#line 1 "external/sepolicy/dhcp.te"
+type dhcp, domain;
+
+#line 2
+typeattribute dhcp mlstrustedsubject;
+#line 2
+typeattribute dhcp unconfineddomain;
+#line 2
+
+type dhcp_exec, exec_type, file_type;
+type dhcp_data_file, file_type, data_file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init dhcp_exec:file { getattr open read execute };
+#line 6
+allow init dhcp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow dhcp dhcp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow dhcp init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init dhcp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init dhcp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init dhcp_exec:process dhcp;
+#line 6
+
+#line 6
+
+#line 6
+type dhcp_tmpfs, file_type;
+#line 6
+type_transition dhcp tmpfs:file dhcp_tmpfs;
+#line 6
+allow dhcp dhcp_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute dhcp netdomain;
+#line 7
+
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write };
+allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
+allow dhcp system_prop:property_service set ;
+
+#line 19
+allow dhcp property_socket:sock_file write;
+#line 19
+allow dhcp init:unix_stream_socket connectto;
+#line 19
+
+allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } };
+allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+#line 1 "external/sepolicy/dnsmasq.te"
+# DNS, DHCP services
+type dnsmasq, domain;
+
+#line 3
+typeattribute dnsmasq mlstrustedsubject;
+#line 3
+typeattribute dnsmasq unconfineddomain;
+#line 3
+
+type dnsmasq_exec, exec_type, file_type;
+
+allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name };
+allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow dnsmasq port:tcp_socket name_bind;
+allow dnsmasq node:tcp_socket node_bind;
+#line 1 "external/sepolicy/domain.te"
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file { read getattr };
+
+# Search /storage/emulated tmpfs mount.
+allow domain tmpfs:dir { open getattr read search ioctl };
+
+# Intra-domain accesses.
+allow domain self:process ~{ execmem execstack execheap ptrace };
+allow domain self:fd use;
+allow domain self:dir { open getattr read search ioctl };
+allow domain self:lnk_file { getattr open read ioctl lock };
+allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system_server:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
+
+#line 43
+
+
+###
+### Talk to debuggerd.
+###
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir { open getattr read search ioctl };
+allow domain rootfs:file { getattr open read ioctl lock };
+allow domain rootfs:lnk_file { getattr open read ioctl lock };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file { getattr open read ioctl lock };
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain zero_device:chr_file { getattr open read ioctl lock };
+allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain log_device:dir search;
+allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain alarm_device:chr_file { getattr open read ioctl lock };
+allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain properties_device:file { getattr open read ioctl lock };
+
+# logd access
+
+#line 76
+
+#line 76
+
+#line 76
+allow domain logdw_socket:sock_file write;
+#line 76
+allow domain logd:unix_dgram_socket sendto;
+#line 76
+
+#line 76
+
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# System file accesses.
+allow domain system_file:dir { open getattr read search ioctl };
+allow domain system_file:file { getattr open read ioctl lock };
+allow domain system_file:file execute;
+allow domain system_file:lnk_file { getattr open read ioctl lock };
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file { getattr open read ioctl lock };
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir { getattr search };
+allow domain apk_data_file:file { getattr open read ioctl lock };
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file { getattr open read ioctl lock };
+
+# Read already opened /cache files.
+allow domain cache_file:dir { open getattr read search ioctl };
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file { getattr open read ioctl lock };
+
+# Read timezone related information
+
+#line 107
+allow domain zoneinfo_data_file:dir { open getattr read search ioctl };
+#line 107
+allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 107
+
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file { open append write };
+
+#Allow access to ion memory allocation device
+allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read access to pseudo filesystems.
+
+#line 117
+allow domain proc:dir { open getattr read search ioctl };
+#line 117
+allow domain proc:{ file lnk_file } { getattr open read ioctl lock };
+#line 117
+
+
+#line 118
+allow domain sysfs:dir { open getattr read search ioctl };
+#line 118
+allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock };
+#line 118
+
+
+#line 119
+allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl };
+#line 119
+allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock };
+#line 119
+
+
+#line 120
+allow domain inotify:dir { open getattr read search ioctl };
+#line 120
+allow domain inotify:{ file lnk_file } { getattr open read ioctl lock };
+#line 120
+
+
+#line 121
+allow domain cgroup:dir { open getattr read search ioctl };
+#line 121
+allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock };
+#line 121
+
+
+#line 122
+allow domain proc_net:dir { open getattr read search ioctl };
+#line 122
+allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock };
+#line 122
+
+
+# debugfs access
+allow domain debugfs:dir { open getattr read search ioctl };
+allow domain debugfs:file { open append write };
+
+# Get SELinux enforcing status.
+
+#line 129
+allow domain selinuxfs:dir { open getattr read search ioctl };
+#line 129
+allow domain selinuxfs:file { getattr open read ioctl lock };
+#line 129
+
+
+# security files
+allow domain security_file:dir { search getattr };
+allow domain security_file:file getattr;
+
+# World readable asec image contents
+allow domain asec_public_file:file { getattr open read ioctl lock };
+allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl };
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom };
+allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
+neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+
+###
+### neverallow rules
+###
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+
+# Limit device node creation and raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow domain self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
+neverallow { domain -recovery } self:capability2 mac_admin;
+
+# Only init should be able to load SELinux policies.
+# The first load technically occurs while still in the kernel domain,
+# but this does not trigger a denial since there is no policy yet.
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+
+# Only init, ueventd and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow domain { file_type -exec_type }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
+
+# Init can't receive binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+# ueventd is exempt from this, as its managing these devices.
+neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+#line 1 "external/sepolicy/drmserver.te"
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init drmserver_exec:file { getattr open read execute };
+#line 5
+allow init drmserver:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow drmserver drmserver_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow drmserver init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init drmserver:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init drmserver:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init drmserver_exec:process drmserver;
+#line 5
+
+#line 5
+
+#line 5
+type drmserver_tmpfs, file_type;
+#line 5
+type_transition drmserver tmpfs:file drmserver_tmpfs;
+#line 5
+allow drmserver drmserver_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+
+#line 9
+# Call the servicemanager and transfer references to it.
+#line 9
+allow drmserver servicemanager:binder { call transfer };
+#line 9
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 9
+# all domains in domain.te.
+#line 9
+
+
+#line 10
+# Call the server domain and optionally transfer references to it.
+#line 10
+allow drmserver system_server:binder { call transfer };
+#line 10
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 10
+allow system_server drmserver:binder transfer;
+#line 10
+# Receive and use open files from the server.
+#line 10
+allow drmserver system_server:fd use;
+#line 10
+
+
+#line 11
+# Call the server domain and optionally transfer references to it.
+#line 11
+allow drmserver appdomain:binder { call transfer };
+#line 11
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 11
+allow appdomain drmserver:binder transfer;
+#line 11
+# Receive and use open files from the server.
+#line 11
+allow drmserver appdomain:fd use;
+#line 11
+
+
+#line 12
+typeattribute drmserver binderservicedomain;
+#line 12
+
+
+# Perform Binder IPC to mediaserver
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow drmserver mediaserver:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow mediaserver drmserver:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow drmserver mediaserver:fd use;
+#line 15
+
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
+allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+
+#line 26
+allow drmserver efs_file:dir { open getattr read search ioctl };
+#line 26
+allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 26
+
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow drmserver tee:unix_stream_socket connectto;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+
+#line 40
+allow drmserver media_rw_data_file:dir { open getattr read search ioctl };
+#line 40
+allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 40
+
+#line 1 "external/sepolicy/dumpstate.te"
+# dumpstate
+type dumpstate, domain;
+
+#line 3
+typeattribute dumpstate mlstrustedsubject;
+#line 3
+typeattribute dumpstate unconfineddomain;
+#line 3
+
+type dumpstate_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init dumpstate_exec:file { getattr open read execute };
+#line 6
+allow init dumpstate:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow dumpstate dumpstate_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow dumpstate init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init dumpstate:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init dumpstate:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init dumpstate_exec:process dumpstate;
+#line 6
+
+#line 6
+
+#line 6
+type dumpstate_tmpfs, file_type;
+#line 6
+type_transition dumpstate tmpfs:file dumpstate_tmpfs;
+#line 6
+allow dumpstate dumpstate_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute dumpstate netdomain;
+#line 7
+
+
+#line 8
+typeattribute dumpstate relabeltodomain;
+#line 8
+
+
+#line 9
+# Call the servicemanager and transfer references to it.
+#line 9
+allow dumpstate servicemanager:binder { call transfer };
+#line 9
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 9
+# all domains in domain.te.
+#line 9
+
+
+# Drop privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+
+#line 15
+allow dumpstate domain:dir { open getattr read search ioctl };
+#line 15
+allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock };
+#line 15
+
+
+# Send signals to processes
+allow dumpstate self:capability kill;
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+
+# Create and write into /data/anr/
+allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto };
+allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file { getattr open read ioctl lock };
+
+# Read dmesg
+allow dumpstate self:capability2 syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in dumpstate/utils.c
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+
+# The /system/bin/ip command needs this for routing table information.
+allow dumpstate self:netlink_route_socket { write getattr setopt };
+
+# The vdc command needs to talk to the vold socket.
+
+#line 54
+allow dumpstate vold_socket:sock_file write;
+#line 54
+allow dumpstate vold:unix_stream_socket connectto;
+#line 54
+
+
+# Vibrate the device after we're done collecting the bugreport
+# /sys/class/timed_output/vibrator/enable
+# TODO: create a new file class, instead of allowing write access to all of /sys
+allow dumpstate sysfs:file { open append write };
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file { getattr open read ioctl lock };
+allow dumpstate debugfs:file { getattr open read ioctl lock };
+
+# Allow dumpstate to make binder calls to any binder service
+
+#line 66
+# Call the server domain and optionally transfer references to it.
+#line 66
+allow dumpstate binderservicedomain:binder { call transfer };
+#line 66
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 66
+allow binderservicedomain dumpstate:binder transfer;
+#line 66
+# Receive and use open files from the server.
+#line 66
+allow dumpstate binderservicedomain:fd use;
+#line 66
+
+
+#line 67
+# Call the server domain and optionally transfer references to it.
+#line 67
+allow dumpstate appdomain:binder { call transfer };
+#line 67
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 67
+allow appdomain dumpstate:binder transfer;
+#line 67
+# Receive and use open files from the server.
+#line 67
+allow dumpstate appdomain:fd use;
+#line 67
+
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:capability sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Run a shell.
+allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate dumpstate_tmpfs:file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:file execute;
+
+# logd access
+
+#line 91
+
+#line 91
+allow dumpstate logdr_socket:sock_file write;
+#line 91
+allow dumpstate logd:unix_stream_socket connectto;
+#line 91
+
+#line 91
+
+
+#line 92
+# Group AID_LOG checked by filesystem & logd
+#line 92
+# to permit control commands
+#line 92
+
+#line 92
+allow dumpstate logd_socket:sock_file write;
+#line 92
+allow dumpstate logd:unix_stream_socket connectto;
+#line 92
+
+#line 92
+
+#line 1 "external/sepolicy/file.te"
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
+type selinuxfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, mlstrustedobject;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, mlstrustedobject;
+
+# File types
+type unlabeled, file_type;
+# Default type for anything under /system.
+type system_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type;
+# /data/gps
+type gps_data_file, file_type, data_file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type;
+type audio_data_file, file_type, data_file_type;
+type bluetooth_data_file, file_type, data_file_type;
+type camera_data_file, file_type, data_file_type;
+type keystore_data_file, file_type, data_file_type;
+type media_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type;
+type nfc_data_file, file_type, data_file_type;
+type radio_data_file, file_type, data_file_type;
+type systemkeys_data_file, file_type, data_file_type;
+type vpn_data_file, file_type, data_file_type;
+type wifi_data_file, file_type, data_file_type;
+type zoneinfo_data_file, file_type, data_file_type;
+
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# Default type for anything under /cache
+type cache_file, file_type, mlstrustedobject;
+# Type for /cache/.*\.{data|restore} and default
+# type for anything under /cache/backup
+type cache_backup_file, file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, mlstrustedobject;
+# For /data/security
+type security_file, file_type;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Downloaded files
+type download_file, file_type;
+
+# Socket types
+type adbd_socket, file_type;
+type bluetooth_socket, file_type;
+type dnsproxyd_socket, file_type, mlstrustedobject;
+type dumpstate_socket, file_type;
+type gps_socket, file_type;
+type installd_socket, file_type;
+type keystore_socket, file_type;
+type lmkd_socket, file_type;
+type logd_debug, file_type;
+type logd_socket, file_type;
+type logdr_socket, file_type;
+type logdw_socket, file_type;
+type mdns_socket, file_type;
+type netd_socket, file_type;
+type property_socket, file_type;
+type qemud_socket, file_type;
+type racoon_socket, file_type;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type;
+type system_ndebug_socket, file_type;
+type vold_socket, file_type;
+type wpa_socket, file_type;
+type zygote_socket, file_type;
+
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+#line 1 "external/sepolicy/gpsd.te"
+# gpsd - GPS daemon
+type gpsd, domain;
+
+#line 3
+typeattribute gpsd mlstrustedsubject;
+#line 3
+typeattribute gpsd unconfineddomain;
+#line 3
+
+type gpsd_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init gpsd_exec:file { getattr open read execute };
+#line 6
+allow init gpsd:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow gpsd gpsd_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow gpsd init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init gpsd:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init gpsd:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init gpsd_exec:process gpsd;
+#line 6
+
+#line 6
+
+#line 6
+type gpsd_tmpfs, file_type;
+#line 6
+type_transition gpsd tmpfs:file gpsd_tmpfs;
+#line 6
+allow gpsd gpsd_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute gpsd netdomain;
+#line 7
+
+allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# XXX Label sysfs files with a specific type?
+allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Execute the shell or system commands.
+allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+#line 1 "external/sepolicy/hci_attach.te"
+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+
+#line 4
+
+#line 4
+# Allow the necessary permissions.
+#line 4
+
+#line 4
+# Old domain may exec the file and transition to the new domain.
+#line 4
+allow init hci_attach_exec:file { getattr open read execute };
+#line 4
+allow init hci_attach:process transition;
+#line 4
+# New domain is entered by executing the file.
+#line 4
+allow hci_attach hci_attach_exec:file { entrypoint read execute };
+#line 4
+# New domain can send SIGCHLD to its caller.
+#line 4
+allow hci_attach init:process sigchld;
+#line 4
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 4
+dontaudit init hci_attach:process noatsecure;
+#line 4
+# XXX dontaudit candidate but requires further study.
+#line 4
+allow init hci_attach:process { siginh rlimitinh };
+#line 4
+
+#line 4
+# Make the transition occur by default.
+#line 4
+type_transition init hci_attach_exec:process hci_attach;
+#line 4
+
+#line 4
+
+#line 4
+type hci_attach_tmpfs, file_type;
+#line 4
+type_transition hci_attach tmpfs:file hci_attach_tmpfs;
+#line 4
+allow hci_attach hci_attach_tmpfs:file { read write };
+#line 4
+
+#line 4
+
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } };
+allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl };
+allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+
+allow healthd rootfs:file { read entrypoint };
+
+#line 6
+type_transition healthd device:chr_file klog_device "__kmsg__";
+#line 6
+allow healthd klog_device:chr_file { create open write unlink };
+#line 6
+allow healthd device:dir { write add_name remove_name };
+#line 6
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by healthd.
+allow healthd tmpfs:chr_file { read write };
+
+allow healthd self:capability { net_admin mknod };
+allow healthd self:capability2 block_suspend;
+allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+#line 14
+# Call the servicemanager and transfer references to it.
+#line 14
+allow healthd servicemanager:binder { call transfer };
+#line 14
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 14
+# all domains in domain.te.
+#line 14
+
+
+#line 15
+typeattribute healthd binderservicedomain;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow healthd system_server:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow system_server healthd:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow healthd system_server:fd use;
+#line 16
+
+
+###
+### healthd: charger mode
+###
+
+allow healthd graphics_device:dir { open getattr read search ioctl };
+allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow healthd input_device:dir { open getattr read search ioctl };
+allow healthd input_device:chr_file { getattr open read ioctl lock };
+allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
+#line 1 "external/sepolicy/hostapd.te"
+# userspace wifi access points
+type hostapd, domain;
+
+#line 3
+typeattribute hostapd mlstrustedsubject;
+#line 3
+typeattribute hostapd unconfineddomain;
+#line 3
+
+type hostapd_exec, exec_type, file_type;
+
+allow hostapd self:capability { net_admin net_raw setuid setgid };
+allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow hostapd self:packet_socket { create write read };
+allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
+allow hostapd self:udp_socket { create ioctl };
+
+allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow hostapd netd:fd use;
+allow hostapd netd:udp_socket { read write };
+allow hostapd netd:netlink_kobject_uevent_socket { read write };
+allow hostapd netd:netlink_nflog_socket { read write };
+allow hostapd netd:netlink_route_socket { read write };
+allow hostapd netd:unix_stream_socket { read write };
+allow hostapd netd:fifo_file { read write };
+#line 1 "external/sepolicy/init_shell.te"
+# Restricted domain for shell processes spawned by init
+type init_shell, domain, shelldomain;
+
+#line 3
+# Allow the necessary permissions.
+#line 3
+
+#line 3
+# Old domain may exec the file and transition to the new domain.
+#line 3
+allow init shell_exec:file { getattr open read execute };
+#line 3
+allow init init_shell:process transition;
+#line 3
+# New domain is entered by executing the file.
+#line 3
+allow init_shell shell_exec:file { entrypoint read execute };
+#line 3
+# New domain can send SIGCHLD to its caller.
+#line 3
+allow init_shell init:process sigchld;
+#line 3
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 3
+dontaudit init init_shell:process noatsecure;
+#line 3
+# XXX dontaudit candidate but requires further study.
+#line 3
+allow init init_shell:process { siginh rlimitinh };
+#line 3
+
+#line 3
+# Make the transition occur by default.
+#line 3
+type_transition init shell_exec:process init_shell;
+#line 3
+
+
+#line 4
+typeattribute init_shell mlstrustedsubject;
+#line 4
+typeattribute init_shell unconfineddomain;
+#line 4
+
+
+# inherits from shelldomain.te
+#line 1 "external/sepolicy/init.te"
+# init switches to init domain (via init.rc).
+type init, domain;
+# init is unconfined.
+
+#line 4
+typeattribute init mlstrustedsubject;
+#line 4
+typeattribute init unconfineddomain;
+#line 4
+
+
+#line 5
+type init_tmpfs, file_type;
+#line 5
+type_transition init tmpfs:file init_tmpfs;
+#line 5
+allow init init_tmpfs:file { read write };
+#line 5
+
+
+#line 6
+typeattribute init relabeltodomain;
+#line 6
+
+# add a rule to handle unlabelled mounts
+allow init unlabeled:filesystem mount;
+
+allow init self:capability { sys_rawio mknod };
+
+allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+allow init fs_type:filesystem *;
+allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow init kernel:security load_policy;
+allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } };
+allow init proc_security:file { { getattr open read ioctl lock } { open append write } };
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;
+#line 1 "external/sepolicy/inputflinger.te"
+# inputflinger
+type inputflinger, domain;
+
+#line 3
+typeattribute inputflinger mlstrustedsubject;
+#line 3
+typeattribute inputflinger unconfineddomain;
+#line 3
+
+type inputflinger_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init inputflinger_exec:file { getattr open read execute };
+#line 6
+allow init inputflinger:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow inputflinger inputflinger_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow inputflinger init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init inputflinger:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init inputflinger:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init inputflinger_exec:process inputflinger;
+#line 6
+
+#line 6
+
+#line 6
+type inputflinger_tmpfs, file_type;
+#line 6
+type_transition inputflinger tmpfs:file inputflinger_tmpfs;
+#line 6
+allow inputflinger inputflinger_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow inputflinger servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+typeattribute inputflinger binderservicedomain;
+#line 8
+
+#line 1 "external/sepolicy/installd.te"
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init installd_exec:file { getattr open read execute };
+#line 5
+allow init installd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow installd installd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow installd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init installd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init installd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init installd_exec:process installd;
+#line 5
+
+#line 5
+
+#line 5
+type installd_tmpfs, file_type;
+#line 5
+type_transition installd tmpfs:file installd_tmpfs;
+#line 5
+allow installd installd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute installd relabeltodomain;
+#line 6
+
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink };
+allow installd apk_data_file:file { getattr open read ioctl lock };
+allow installd apk_tmp_file:file { getattr open read ioctl lock };
+allow installd system_file:file { getattr execute execute_no_trans };
+allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow installd download_file:dir { { open getattr read search ioctl } write remove_name };
+allow installd download_file:file { { getattr open read ioctl lock } unlink };
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+
+#line 23
+allow installd selinuxfs:dir { open getattr read search ioctl };
+#line 23
+allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 23
+allow installd kernel:security check_context;
+#line 23
+
+# Read /seapp_contexts and /data/security/seapp_contexts
+
+#line 25
+allow installd security_file:dir { open getattr read search ioctl };
+#line 25
+allow installd security_file:file { getattr open read ioctl lock };
+#line 25
+allow installd security_file:lnk_file { getattr open read ioctl lock };
+#line 25
+allow installd selinuxfs:dir { open getattr read search ioctl };
+#line 25
+allow installd selinuxfs:file { getattr open read ioctl lock };
+#line 25
+allow installd rootfs:dir { open getattr read search ioctl };
+#line 25
+allow installd rootfs:file { getattr open read ioctl lock };
+#line 25
+
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file { getattr open read ioctl lock };
+allow installd bluetooth_data_file:lnk_file { create setattr };
+allow installd nfc_data_file:lnk_file { create setattr };
+allow installd radio_data_file:lnk_file { create setattr };
+allow installd shell_data_file:lnk_file { create setattr };
+#line 1 "external/sepolicy/isolated_app.te"
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+
+#line 13
+typeattribute isolated_app appdomain;
+#line 13
+# Label ashmem objects with our own unique type.
+#line 13
+
+#line 13
+type isolated_app_tmpfs, file_type;
+#line 13
+type_transition isolated_app tmpfs:file isolated_app_tmpfs;
+#line 13
+allow isolated_app isolated_app_tmpfs:file { read write };
+#line 13
+
+#line 13
+# Map with PROT_EXEC.
+#line 13
+allow isolated_app isolated_app_tmpfs:file execute;
+#line 13
+
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow isolated_app appdomain:unix_stream_socket { read write };
+
+allow isolated_app dalvikcache_data_file:file execute;
+allow isolated_app apk_data_file:dir getattr;
+#line 1 "external/sepolicy/kernel.te"
+# Life begins with the kernel.
+type kernel, domain;
+
+allow kernel init:process dyntransition;
+
+# The kernel is unconfined.
+
+#line 7
+typeattribute kernel mlstrustedsubject;
+#line 7
+typeattribute kernel unconfineddomain;
+#line 7
+
+
+#line 8
+typeattribute kernel relabeltodomain;
+#line 8
+
+
+allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
+
+# Initial setenforce by init prior to switching to init domain.
+allow kernel self:security setenforce;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel self:security setcheckreqprot;
+
+# For operations performed by kernel or init prior to switching to init domain.
+## TODO: Investigate whether it is safe to remove these
+allow kernel self:capability { sys_rawio mknod };
+auditallow kernel self:capability { sys_rawio mknod };
+allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/keystore.te"
+type keystore, domain;
+type keystore_exec, exec_type, file_type;
+
+# keystore daemon
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init keystore_exec:file { getattr open read execute };
+#line 5
+allow init keystore:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow keystore keystore_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow keystore init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init keystore:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init keystore:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init keystore_exec:process keystore;
+#line 5
+
+#line 5
+
+#line 5
+type keystore_tmpfs, file_type;
+#line 5
+type_transition keystore tmpfs:file keystore_tmpfs;
+#line 5
+allow keystore keystore_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute keystore mlstrustedsubject;
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow keystore servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+typeattribute keystore binderservicedomain;
+#line 8
+
+allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow keystore tee:unix_stream_socket connectto;
+#line 1 "external/sepolicy/lmkd.te"
+# lmkd low memory killer daemon
+type lmkd, domain;
+type lmkd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init lmkd_exec:file { getattr open read execute };
+#line 5
+allow init lmkd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow lmkd lmkd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow lmkd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init lmkd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init lmkd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init lmkd_exec:process lmkd;
+#line 5
+
+#line 5
+
+#line 5
+type lmkd_tmpfs, file_type;
+#line 5
+type_transition lmkd tmpfs:file lmkd_tmpfs;
+#line 5
+allow lmkd lmkd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+allow lmkd self:capability { dac_override sys_resource };
+
+## Open and write to /proc/PID/oom_score_adj
+## TODO: maybe scope this down?
+
+#line 11
+allow lmkd appdomain:dir { open getattr read search ioctl };
+#line 11
+allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 11
+
+allow lmkd appdomain:file write;
+
+#line 13
+allow lmkd system_server:dir { open getattr read search ioctl };
+#line 13
+allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock };
+#line 13
+
+allow lmkd system_server:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+allow lmkd sysfs_lowmemorykiller:file { open append write };
+#line 1 "external/sepolicy/logd.te"
+# android user-space log manager
+type logd, domain;
+type logd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init logd_exec:file { getattr open read execute };
+#line 5
+allow init logd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow logd logd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow logd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init logd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init logd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init logd_exec:process logd;
+#line 5
+
+#line 5
+
+#line 5
+type logd_tmpfs, file_type;
+#line 5
+type_transition logd tmpfs:file logd_tmpfs;
+#line 5
+allow logd logd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+allow logd self:unix_stream_socket *;
+
+allow logd self:capability { setuid setgid sys_nice };
+
+
+#line 10
+allow logd domain:dir { open getattr read search ioctl };
+#line 10
+allow logd domain:{ file lnk_file } { getattr open read ioctl lock };
+#line 10
+
+
+#line 17
+
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+#line 1 "external/sepolicy/media_app.te"
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+
+#line 6
+typeattribute media_app appdomain;
+#line 6
+# Label ashmem objects with our own unique type.
+#line 6
+
+#line 6
+type media_app_tmpfs, file_type;
+#line 6
+type_transition media_app tmpfs:file media_app_tmpfs;
+#line 6
+allow media_app media_app_tmpfs:file { read write };
+#line 6
+
+#line 6
+# Map with PROT_EXEC.
+#line 6
+allow media_app media_app_tmpfs:file execute;
+#line 6
+
+
+#line 7
+typeattribute media_app platformappdomain;
+#line 7
+typeattribute media_app mlstrustedsubject;
+#line 7
+
+
+#line 8
+typeattribute media_app binderservicedomain;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute media_app netdomain;
+#line 10
+
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# Write to /cache.
+allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file { getattr open read ioctl lock };
+allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Allow platform apps to mark platform app data files as download files
+
+#line 27
+typeattribute media_app relabeltodomain;
+#line 27
+
+allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app download_file:dir relabelto;
+#line 1 "external/sepolicy/mediaserver.te"
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+
+#line 3
+typeattribute mediaserver mlstrustedsubject;
+#line 3
+typeattribute mediaserver unconfineddomain;
+#line 3
+
+type mediaserver_exec, exec_type, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+
+#line 8
+typeattribute mediaserver netdomain;
+#line 8
+
+
+#line 9
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow init mediaserver_exec:file { getattr open read execute };
+#line 9
+allow init mediaserver:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow mediaserver mediaserver_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow mediaserver init:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit init mediaserver:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow init mediaserver:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition init mediaserver_exec:process mediaserver;
+#line 9
+
+#line 9
+
+#line 9
+type mediaserver_tmpfs, file_type;
+#line 9
+type_transition mediaserver tmpfs:file mediaserver_tmpfs;
+#line 9
+allow mediaserver mediaserver_tmpfs:file { read write };
+#line 9
+
+#line 9
+
+
+#line 10
+allow mediaserver property_socket:sock_file write;
+#line 10
+allow mediaserver init:unix_stream_socket connectto;
+#line 10
+
+
+
+#line 12
+allow mediaserver sdcard_type:dir { open getattr read search ioctl };
+#line 12
+allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock };
+#line 12
+
+
+
+#line 14
+# Call the servicemanager and transfer references to it.
+#line 14
+allow mediaserver servicemanager:binder { call transfer };
+#line 14
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 14
+# all domains in domain.te.
+#line 14
+
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow mediaserver binderservicedomain:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow binderservicedomain mediaserver:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow mediaserver binderservicedomain:fd use;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow mediaserver appdomain:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow appdomain mediaserver:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow mediaserver appdomain:fd use;
+#line 16
+
+
+#line 17
+typeattribute mediaserver binderservicedomain;
+#line 17
+
+
+allow mediaserver self:process execmem;
+allow mediaserver kernel:system module_request;
+allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver sdcard_type:file write;
+allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver video_device:dir { open getattr read search ioctl };
+allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver audio_device:dir { open getattr read search ioctl };
+allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver audio_prop:property_service set;
+
+# Access audio devices at all.
+allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# XXX Label with a specific type?
+allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+# XXX Why?
+allow mediaserver apk_data_file:file { read getattr };
+
+# Access camera device.
+allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file { getattr open read ioctl lock };
+
+# Camera data
+
+#line 52
+allow mediaserver camera_data_file:dir { open getattr read search ioctl };
+#line 52
+allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 52
+
+
+#line 53
+allow mediaserver media_rw_data_file:dir { open getattr read search ioctl };
+#line 53
+allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 53
+
+
+# Grant access to audio files to mediaserver
+allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write };
+allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock };
+
+# Allow abstract socket connection
+allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+
+#line 68
+allow mediaserver drmserver_socket:sock_file write;
+#line 68
+allow mediaserver drmserver:unix_stream_socket connectto;
+#line 68
+
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+
+#line 72
+allow mediaserver bluetooth_socket:sock_file write;
+#line 72
+allow mediaserver bluetooth:unix_stream_socket connectto;
+#line 72
+
+#line 1 "external/sepolicy/mtp.te"
+# vpn tunneling protocol manager
+type mtp, domain;
+
+#line 3
+typeattribute mtp mlstrustedsubject;
+#line 3
+typeattribute mtp unconfineddomain;
+#line 3
+
+type mtp_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init mtp_exec:file { getattr open read execute };
+#line 6
+allow init mtp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow mtp mtp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow mtp init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init mtp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init mtp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init mtp_exec:process mtp;
+#line 6
+
+#line 6
+
+#line 6
+type mtp_tmpfs, file_type;
+#line 6
+type_transition mtp tmpfs:file mtp_tmpfs;
+#line 6
+allow mtp mtp_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute mtp netdomain;
+#line 7
+
+
+# pptp policy
+allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:capability net_raw;
+allow mtp ppp:process signal;
+allow mtp port:tcp_socket name_connect;
+allow mtp vpn_data_file:dir search;
+#line 1 "external/sepolicy/netd.te"
+# network manager
+type netd, domain;
+type netd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init netd_exec:file { getattr open read execute };
+#line 5
+allow init netd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow netd netd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow netd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init netd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init netd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init netd_exec:process netd;
+#line 5
+
+#line 5
+
+#line 5
+type netd_tmpfs, file_type;
+#line 5
+type_transition netd tmpfs:file netd_tmpfs;
+#line 5
+allow netd netd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute netd netdomain;
+#line 6
+
+
+allow netd self:capability { net_admin net_raw kill fsetid };
+allow netd self:netlink_kobject_uevent_socket *;
+allow netd self:netlink_route_socket *;
+allow netd self:netlink_nflog_socket *;
+allow netd self:rawip_socket *;
+allow netd self:unix_stream_socket *;
+allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow netd system_file:file { getattr execute execute_no_trans };
+allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net:file write;
+
+# For /sys/modules/bcmdhd/parameters/firmware_path
+# XXX Split into its own type.
+allow netd sysfs:file write;
+
+# Set dhcp lease for PAN connection
+
+#line 26
+allow netd property_socket:sock_file write;
+#line 26
+allow netd init:unix_stream_socket connectto;
+#line 26
+
+allow netd system_prop:property_service set;
+
+# Connect to PAN
+
+#line 30
+# Allow the necessary permissions.
+#line 30
+
+#line 30
+# Old domain may exec the file and transition to the new domain.
+#line 30
+allow netd dhcp_exec:file { getattr open read execute };
+#line 30
+allow netd dhcp:process transition;
+#line 30
+# New domain is entered by executing the file.
+#line 30
+allow dhcp dhcp_exec:file { entrypoint read execute };
+#line 30
+# New domain can send SIGCHLD to its caller.
+#line 30
+allow dhcp netd:process sigchld;
+#line 30
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 30
+dontaudit netd dhcp:process noatsecure;
+#line 30
+# XXX dontaudit candidate but requires further study.
+#line 30
+allow netd dhcp:process { siginh rlimitinh };
+#line 30
+
+#line 30
+# Make the transition occur by default.
+#line 30
+type_transition netd dhcp_exec:process dhcp;
+#line 30
+
+allow netd dhcp:process signal;
+
+# Needed to update /data/misc/wifi/hostapd.conf
+# TODO: See what we can do to reduce the need for
+# these capabilities
+allow netd self:capability { dac_override chown fowner };
+allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+
+# Allow netd to spawn hostapd in it's own domain
+
+#line 41
+# Allow the necessary permissions.
+#line 41
+
+#line 41
+# Old domain may exec the file and transition to the new domain.
+#line 41
+allow netd hostapd_exec:file { getattr open read execute };
+#line 41
+allow netd hostapd:process transition;
+#line 41
+# New domain is entered by executing the file.
+#line 41
+allow hostapd hostapd_exec:file { entrypoint read execute };
+#line 41
+# New domain can send SIGCHLD to its caller.
+#line 41
+allow hostapd netd:process sigchld;
+#line 41
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 41
+dontaudit netd hostapd:process noatsecure;
+#line 41
+# XXX dontaudit candidate but requires further study.
+#line 41
+allow netd hostapd:process { siginh rlimitinh };
+#line 41
+
+#line 41
+# Make the transition occur by default.
+#line 41
+type_transition netd hostapd_exec:process hostapd;
+#line 41
+
+allow netd hostapd:process signal;
+
+# Allow netd to spawn dnsmasq in it's own domain
+
+#line 45
+# Allow the necessary permissions.
+#line 45
+
+#line 45
+# Old domain may exec the file and transition to the new domain.
+#line 45
+allow netd dnsmasq_exec:file { getattr open read execute };
+#line 45
+allow netd dnsmasq:process transition;
+#line 45
+# New domain is entered by executing the file.
+#line 45
+allow dnsmasq dnsmasq_exec:file { entrypoint read execute };
+#line 45
+# New domain can send SIGCHLD to its caller.
+#line 45
+allow dnsmasq netd:process sigchld;
+#line 45
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 45
+dontaudit netd dnsmasq:process noatsecure;
+#line 45
+# XXX dontaudit candidate but requires further study.
+#line 45
+allow netd dnsmasq:process { siginh rlimitinh };
+#line 45
+
+#line 45
+# Make the transition occur by default.
+#line 45
+type_transition netd dnsmasq_exec:process dnsmasq;
+#line 45
+
+allow netd dnsmasq:process signal;
+
+# Allow netd to start clatd in its own domain
+
+#line 49
+# Allow the necessary permissions.
+#line 49
+
+#line 49
+# Old domain may exec the file and transition to the new domain.
+#line 49
+allow netd clatd_exec:file { getattr open read execute };
+#line 49
+allow netd clatd:process transition;
+#line 49
+# New domain is entered by executing the file.
+#line 49
+allow clatd clatd_exec:file { entrypoint read execute };
+#line 49
+# New domain can send SIGCHLD to its caller.
+#line 49
+allow clatd netd:process sigchld;
+#line 49
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 49
+dontaudit netd clatd:process noatsecure;
+#line 49
+# XXX dontaudit candidate but requires further study.
+#line 49
+allow netd clatd:process { siginh rlimitinh };
+#line 49
+
+#line 49
+# Make the transition occur by default.
+#line 49
+type_transition netd clatd_exec:process clatd;
+#line 49
+
+allow netd clatd:process signal;
+
+# Support netd running mdnsd
+# TODO: prune this back further
+allow netd ctl_default_prop:property_service set;
+allow netd device:sock_file write;
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+neverallow netd kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow netd kernel:security load_policy;
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+#line 1 "external/sepolicy/net.te"
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+# Use network sockets.
+allow netdomain self:{ tcp_socket udp_socket } *;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
+# Get route information.
+allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+
+#line 18
+allow netdomain dnsproxyd_socket:sock_file write;
+#line 18
+allow netdomain netd:unix_stream_socket connectto;
+#line 18
+
+#line 1 "external/sepolicy/nfc.te"
+# nfc subsystem
+type nfc, domain;
+
+#line 3
+typeattribute nfc appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type nfc_tmpfs, file_type;
+#line 3
+type_transition nfc tmpfs:file nfc_tmpfs;
+#line 3
+allow nfc nfc_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow nfc nfc_tmpfs:file execute;
+#line 3
+
+
+#line 4
+typeattribute nfc binderservicedomain;
+#line 4
+
+
+# NFC device access.
+allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Data file accesses.
+allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
+allow nfc sysfs:file write;
+
+allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/platform_app.te"
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+
+#line 6
+typeattribute platform_app mlstrustedsubject;
+#line 6
+typeattribute platform_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute platform_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type platform_app_tmpfs, file_type;
+#line 7
+type_transition platform_app tmpfs:file platform_app_tmpfs;
+#line 7
+allow platform_app platform_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow platform_app platform_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute platform_app platformappdomain;
+#line 8
+typeattribute platform_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute platform_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute platform_app bluetoothdomain;
+#line 12
+
+# Write to /cache.
+allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Read from /data/local.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } };
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Access download files.
+allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } };
+# Allow BackupManagerService to backup all app domains
+allow platform_app appdomain:fifo_file write;
+
+#
+# Rules for all platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow platformappdomain platform_app_data_file:file execute;
+# App sdcard file accesses
+allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/ppp.te"
+# Point to Point Protocol daemon
+type ppp, domain;
+
+#line 3
+typeattribute ppp mlstrustedsubject;
+#line 3
+typeattribute ppp unconfineddomain;
+#line 3
+
+type ppp_device, dev_type;
+type ppp_exec, exec_type, file_type;
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow mtp ppp_exec:file { getattr open read execute };
+#line 6
+allow mtp ppp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow ppp ppp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow ppp mtp:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit mtp ppp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow mtp ppp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition mtp ppp_exec:process ppp;
+#line 6
+
+
+allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ppp self:capability net_admin;
+allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow ppp vpn_data_file:dir { open search write add_name remove_name };
+allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow ppp mtp:fd use;
+#line 1 "external/sepolicy/property.te"
+type default_prop, property_type;
+type shell_prop, property_type;
+type debug_prop, property_type;
+type debuggerd_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
+type audio_prop, property_type;
+type security_prop, property_type;
+type bluetooth_prop, property_type;
+type powerctl_prop, property_type;
+#line 1 "external/sepolicy/qemud.te"
+# qemu support daemon
+type qemud, domain;
+type qemud_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init qemud_exec:file { getattr open read execute };
+#line 5
+allow init qemud:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow qemud qemud_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow qemud init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init qemud:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init qemud:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init qemud_exec:process qemud;
+#line 5
+
+#line 5
+
+#line 5
+type qemud_tmpfs, file_type;
+#line 5
+type_transition qemud tmpfs:file qemud_tmpfs;
+#line 5
+allow qemud qemud_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute qemud mlstrustedsubject;
+#line 6
+typeattribute qemud unconfineddomain;
+#line 1 "external/sepolicy/racoon.te"
+# IKE key management daemon
+type racoon, domain;
+
+#line 3
+typeattribute racoon mlstrustedsubject;
+#line 3
+typeattribute racoon unconfineddomain;
+#line 3
+
+type racoon_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init racoon_exec:file { getattr open read execute };
+#line 6
+allow init racoon:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow racoon racoon_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow racoon init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init racoon:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init racoon:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init racoon_exec:process racoon;
+#line 6
+
+#line 6
+
+#line 6
+type racoon_tmpfs, file_type;
+#line 6
+type_transition racoon tmpfs:file racoon_tmpfs;
+#line 6
+allow racoon racoon_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+typeattribute racoon mlstrustedsubject;
+
+
+#line 9
+# Call the server domain and optionally transfer references to it.
+#line 9
+allow racoon servicemanager:binder { call transfer };
+#line 9
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 9
+allow servicemanager racoon:binder transfer;
+#line 9
+# Receive and use open files from the server.
+#line 9
+allow racoon servicemanager:fd use;
+#line 9
+
+
+#line 10
+# Call the server domain and optionally transfer references to it.
+#line 10
+allow racoon keystore:binder { call transfer };
+#line 10
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 10
+allow keystore racoon:binder transfer;
+#line 10
+# Receive and use open files from the server.
+#line 10
+allow racoon keystore:fd use;
+#line 10
+
+
+allow racoon tun_device:chr_file { getattr open read ioctl lock };
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow racoon vpn_data_file:dir { open search write add_name remove_name };
+#line 1 "external/sepolicy/radio.te"
+# phone subsystem
+type radio, domain;
+
+#line 3
+typeattribute radio appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type radio_tmpfs, file_type;
+#line 3
+type_transition radio tmpfs:file radio_tmpfs;
+#line 3
+allow radio radio_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow radio radio_tmpfs:file execute;
+#line 3
+
+
+#line 4
+typeattribute radio netdomain;
+#line 4
+
+
+#line 5
+typeattribute radio bluetoothdomain;
+#line 5
+
+
+#line 6
+typeattribute radio binderservicedomain;
+#line 6
+
+
+# Talks to init via the property socket.
+
+#line 9
+allow radio property_socket:sock_file write;
+#line 9
+allow radio init:unix_stream_socket connectto;
+#line 9
+
+
+# Talks to rild via the rild socket.
+
+#line 12
+allow radio rild_socket:sock_file write;
+#line 12
+allow radio rild:unix_stream_socket connectto;
+#line 12
+
+
+# Data file accesses.
+allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
+#line 1 "external/sepolicy/recovery.te"
+# recovery console (used in recovery init.rc for /sbin/recovery)
+type recovery, domain;
+allow recovery rootfs:file entrypoint;
+
+#line 4
+typeattribute recovery mlstrustedsubject;
+#line 4
+typeattribute recovery unconfineddomain;
+#line 4
+
+
+#line 5
+typeattribute recovery relabeltodomain;
+#line 5
+
+
+allow recovery self:capability2 mac_admin;
+
+allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
+
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+
+allow recovery self:process execmem;
+allow recovery ashmem_device:chr_file execute;
+allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
+#line 1 "external/sepolicy/release_app.te"
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+
+#line 6
+typeattribute release_app mlstrustedsubject;
+#line 6
+typeattribute release_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute release_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type release_app_tmpfs, file_type;
+#line 7
+type_transition release_app tmpfs:file release_app_tmpfs;
+#line 7
+allow release_app release_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow release_app release_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute release_app platformappdomain;
+#line 8
+typeattribute release_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute release_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute release_app bluetoothdomain;
+#line 12
+
+
+# Write to /cache.
+allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/rild.te"
+# rild - radio interface layer daemon
+type rild, domain;
+
+#line 3
+typeattribute rild mlstrustedsubject;
+#line 3
+typeattribute rild unconfineddomain;
+#line 3
+
+type rild_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init rild_exec:file { getattr open read execute };
+#line 6
+allow init rild:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow rild rild_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow rild init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init rild:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init rild:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init rild_exec:process rild;
+#line 6
+
+#line 6
+
+#line 6
+type rild_tmpfs, file_type;
+#line 6
+type_transition rild tmpfs:file rild_tmpfs;
+#line 6
+allow rild rild_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute rild netdomain;
+#line 7
+
+allow rild self:netlink_route_socket { setopt write };
+allow rild kernel:system module_request;
+
+#line 10
+allow rild property_socket:sock_file write;
+#line 10
+allow rild init:unix_stream_socket connectto;
+#line 10
+
+
+#line 11
+allow rild qemud_socket:sock_file write;
+#line 11
+allow rild qemud:unix_stream_socket connectto;
+#line 11
+
+allow rild self:capability { setuid net_admin net_raw };
+allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild radio_device:blk_file { getattr open read ioctl lock };
+allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild mtd_device:dir search;
+allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow rild bluetooth_efs_file:file { getattr open read ioctl lock };
+allow rild bluetooth_efs_file:dir { open getattr read search ioctl };
+allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild sdcard_type:dir { open getattr read search ioctl };
+allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild system_file:file { getattr execute execute_no_trans };
+dontaudit rild self:capability sys_admin;
+
+# property service
+allow rild rild_prop:property_service set;
+allow rild radio_prop:property_service set;
+
+# Read/Write to uart driver (for GPS)
+allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Allow rild to create, bind, read, write to itself through a netlink socket
+allow rild self:netlink_socket { create bind read write };
+
+allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+
+# Access to wake locks
+allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+
+allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+#line 1 "external/sepolicy/runas.te"
+type runas, domain, mlstrustedsubject;
+type runas_exec, exec_type, file_type;
+
+# ndk-gdb invokes adb shell run-as.
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow shell runas_exec:file { getattr open read execute };
+#line 5
+allow shell runas:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow runas runas_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow runas shell:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit shell runas:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow shell runas:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition shell runas_exec:process runas;
+#line 5
+
+allow runas adbd:process sigchld;
+allow runas shell:fd use;
+allow runas devpts:chr_file { read write ioctl };
+
+# run-as reads package information.
+allow runas system_data_file:file { getattr open read ioctl lock };
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+# read /seapp_contexts and /data/security/seapp_contexts
+
+#line 22
+allow runas security_file:dir { open getattr read search ioctl };
+#line 22
+allow runas security_file:file { getattr open read ioctl lock };
+#line 22
+allow runas security_file:lnk_file { getattr open read ioctl lock };
+#line 22
+allow runas selinuxfs:dir { open getattr read search ioctl };
+#line 22
+allow runas selinuxfs:file { getattr open read ioctl lock };
+#line 22
+allow runas rootfs:dir { open getattr read search ioctl };
+#line 22
+allow runas rootfs:file { getattr open read ioctl lock };
+#line 22
+
+
+#line 23
+allow runas selinuxfs:dir { open getattr read search ioctl };
+#line 23
+allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 23
+allow runas kernel:security check_context;
+#line 23
+ # validate context
+allow runas { appdomain -system_app }:process dyntransition; # setcon
+#line 1 "external/sepolicy/sdcardd.te"
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+
+
+#line 4
+
+#line 4
+# Allow the necessary permissions.
+#line 4
+
+#line 4
+# Old domain may exec the file and transition to the new domain.
+#line 4
+allow init sdcardd_exec:file { getattr open read execute };
+#line 4
+allow init sdcardd:process transition;
+#line 4
+# New domain is entered by executing the file.
+#line 4
+allow sdcardd sdcardd_exec:file { entrypoint read execute };
+#line 4
+# New domain can send SIGCHLD to its caller.
+#line 4
+allow sdcardd init:process sigchld;
+#line 4
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 4
+dontaudit init sdcardd:process noatsecure;
+#line 4
+# XXX dontaudit candidate but requires further study.
+#line 4
+allow init sdcardd:process { siginh rlimitinh };
+#line 4
+
+#line 4
+# Make the transition occur by default.
+#line 4
+type_transition init sdcardd_exec:process sdcardd;
+#line 4
+
+#line 4
+
+#line 4
+type sdcardd_tmpfs, file_type;
+#line 4
+type_transition sdcardd tmpfs:file sdcardd_tmpfs;
+#line 4
+allow sdcardd sdcardd_tmpfs:file { read write };
+#line 4
+
+#line 4
+
+
+allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+
+allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file { getattr open read ioctl lock };
+
+# Compatibility for existing devices with /data/media in system_data_file.
+# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
+allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/servicemanager.te"
+# servicemanager - the Binder context manager
+type servicemanager, domain;
+type servicemanager_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init servicemanager_exec:file { getattr open read execute };
+#line 5
+allow init servicemanager:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow servicemanager servicemanager_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow servicemanager init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init servicemanager:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init servicemanager:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init servicemanager_exec:process servicemanager;
+#line 5
+
+#line 5
+
+#line 5
+type servicemanager_tmpfs, file_type;
+#line 5
+type_transition servicemanager tmpfs:file servicemanager_tmpfs;
+#line 5
+allow servicemanager servicemanager_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager domain:binder transfer;
+#line 1 "external/sepolicy/shared_app.te"
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+
+#line 6
+typeattribute shared_app mlstrustedsubject;
+#line 6
+typeattribute shared_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute shared_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type shared_app_tmpfs, file_type;
+#line 7
+type_transition shared_app tmpfs:file shared_app_tmpfs;
+#line 7
+allow shared_app shared_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow shared_app shared_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute shared_app platformappdomain;
+#line 8
+typeattribute shared_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute shared_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute shared_app bluetoothdomain;
+#line 12
+
+#line 1 "external/sepolicy/shelldomain.te"
+# Rules for all shell domains (e.g. console service and adb shell).
+
+# Access /data/local/tmp.
+allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# Access sdcard.
+allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# adb bugreport
+
+#line 13
+allow shelldomain dumpstate_socket:sock_file write;
+#line 13
+allow shelldomain dumpstate:unix_stream_socket connectto;
+#line 13
+
+
+allow shelldomain rootfs:dir { open getattr read search ioctl };
+allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain system_file:file { getattr execute execute_no_trans };
+allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+
+#line 24
+allow shelldomain apk_data_file:dir { open getattr read search ioctl };
+#line 24
+allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 24
+
+
+# Set properties.
+
+#line 27
+allow shelldomain property_socket:sock_file write;
+#line 27
+allow shelldomain init:unix_stream_socket connectto;
+#line 27
+
+allow shelldomain shell_prop:property_service set;
+allow shelldomain ctl_dumpstate_prop:property_service set;
+allow shelldomain debug_prop:property_service set;
+allow shelldomain powerctl_prop:property_service set;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+
+#line 34
+allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl };
+#line 34
+allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock };
+#line 34
+
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shelldomain app_data_file:dir search;
+
+# ps and ps -Z output for app processes.
+
+#line 40
+allow shelldomain appdomain:dir { open getattr read search ioctl };
+#line 40
+allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 40
+
+allow shelldomain appdomain:process getattr;
+#line 1 "external/sepolicy/shell.te"
+# Domain for shell processes spawned by ADB
+type shell, domain, shelldomain, mlstrustedsubject;
+type shell_exec, exec_type, file_type;
+
+# Create and use network sockets.
+
+#line 6
+typeattribute shell netdomain;
+#line 6
+
+
+# Run app_process.
+# XXX Transition into its own domain?
+
+#line 10
+typeattribute shell appdomain;
+#line 10
+# Label ashmem objects with our own unique type.
+#line 10
+
+#line 10
+type shell_tmpfs, file_type;
+#line 10
+type_transition shell tmpfs:file shell_tmpfs;
+#line 10
+allow shell shell_tmpfs:file { read write };
+#line 10
+
+#line 10
+# Map with PROT_EXEC.
+#line 10
+allow shell shell_tmpfs:file execute;
+#line 10
+
+
+# inherits from shelldomain.te
+#line 1 "external/sepolicy/surfaceflinger.te"
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
+
+#line 3
+typeattribute surfaceflinger mlstrustedsubject;
+#line 3
+typeattribute surfaceflinger unconfineddomain;
+#line 3
+
+type surfaceflinger_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init surfaceflinger_exec:file { getattr open read execute };
+#line 6
+allow init surfaceflinger:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow surfaceflinger init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init surfaceflinger:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init surfaceflinger:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init surfaceflinger_exec:process surfaceflinger;
+#line 6
+
+#line 6
+
+#line 6
+type surfaceflinger_tmpfs, file_type;
+#line 6
+type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs;
+#line 6
+allow surfaceflinger surfaceflinger_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+typeattribute surfaceflinger mlstrustedsubject;
+
+# Talk to init over the property socket.
+
+#line 10
+allow surfaceflinger property_socket:sock_file write;
+#line 10
+allow surfaceflinger init:unix_stream_socket connectto;
+#line 10
+
+
+# Perform Binder IPC.
+
+#line 13
+# Call the servicemanager and transfer references to it.
+#line 13
+allow surfaceflinger servicemanager:binder { call transfer };
+#line 13
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 13
+# all domains in domain.te.
+#line 13
+
+
+#line 14
+# Call the server domain and optionally transfer references to it.
+#line 14
+allow surfaceflinger system_server:binder { call transfer };
+#line 14
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 14
+allow system_server surfaceflinger:binder transfer;
+#line 14
+# Receive and use open files from the server.
+#line 14
+allow surfaceflinger system_server:fd use;
+#line 14
+
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow surfaceflinger nfc:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow nfc surfaceflinger:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow surfaceflinger nfc:fd use;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow surfaceflinger mediaserver:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow mediaserver surfaceflinger:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow surfaceflinger mediaserver:fd use;
+#line 16
+
+
+#line 17
+typeattribute surfaceflinger binderservicedomain;
+#line 17
+
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir { open getattr read search ioctl };
+allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
+allow surfaceflinger ctl_default_prop:property_service set;
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };
+
+# Use open file provided by bootanim.
+allow surfaceflinger bootanim:fd use;
+
+# Allow a dumpstate triggered screenshot
+
+#line 46
+# Call the server domain and optionally transfer references to it.
+#line 46
+allow surfaceflinger dumpstate:binder { call transfer };
+#line 46
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 46
+allow dumpstate surfaceflinger:binder transfer;
+#line 46
+# Receive and use open files from the server.
+#line 46
+allow surfaceflinger dumpstate:fd use;
+#line 46
+
+
+#line 47
+# Call the server domain and optionally transfer references to it.
+#line 47
+allow surfaceflinger shell:binder { call transfer };
+#line 47
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 47
+allow shell surfaceflinger:binder transfer;
+#line 47
+# Receive and use open files from the server.
+#line 47
+allow surfaceflinger shell:fd use;
+#line 47
+
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee:unix_stream_socket connectto;
+allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/su.te"
+# File types must be defined for file_contexts.
+type su_exec, exec_type, file_type;
+
+#line 23
+
+#line 1 "external/sepolicy/system_app.te"
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings. These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+
+#line 7
+typeattribute system_app mlstrustedsubject;
+#line 7
+typeattribute system_app unconfineddomain;
+#line 7
+
+
+#line 8
+typeattribute system_app appdomain;
+#line 8
+# Label ashmem objects with our own unique type.
+#line 8
+
+#line 8
+type system_app_tmpfs, file_type;
+#line 8
+type_transition system_app tmpfs:file system_app_tmpfs;
+#line 8
+allow system_app system_app_tmpfs:file { read write };
+#line 8
+
+#line 8
+# Map with PROT_EXEC.
+#line 8
+allow system_app system_app_tmpfs:file execute;
+#line 8
+
+
+#line 9
+typeattribute system_app binderservicedomain;
+#line 9
+
+
+# Perform binder IPC to any app domain.
+
+#line 12
+# Call the server domain and optionally transfer references to it.
+#line 12
+allow system_app appdomain:binder { call transfer };
+#line 12
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 12
+allow appdomain system_app:binder transfer;
+#line 12
+# Receive and use open files from the server.
+#line 12
+allow system_app appdomain:fd use;
+#line 12
+
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file { getattr open read ioctl lock };
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+
+#line 26
+allow system_app keystore_socket:sock_file write;
+#line 26
+allow system_app keystore:unix_stream_socket connectto;
+#line 26
+
+
+# Read SELinux enforcing status.
+
+#line 29
+allow system_app selinuxfs:dir { open getattr read search ioctl };
+#line 29
+allow system_app selinuxfs:file { getattr open read ioctl lock };
+#line 29
+
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir { open getattr read search ioctl };
+
+# Write to properties
+
+#line 35
+allow system_app property_socket:sock_file write;
+#line 35
+allow system_app init:unix_stream_socket connectto;
+#line 35
+
+allow system_app debug_prop:property_service set;
+allow system_app radio_prop:property_service set;
+allow system_app system_prop:property_service set;
+#line 1 "external/sepolicy/system_server.te"
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain, mlstrustedsubject;
+
+#line 6
+typeattribute system_server mlstrustedsubject;
+#line 6
+typeattribute system_server unconfineddomain;
+#line 6
+
+
+# Define a type for tmpfs-backed ashmem regions.
+
+#line 9
+type system_server_tmpfs, file_type;
+#line 9
+type_transition system_server tmpfs:file system_server_tmpfs;
+#line 9
+allow system_server system_server_tmpfs:file { read write };
+#line 9
+
+
+# Dalvik Compiler JIT Mapping.
+allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
+
+# For art.
+allow system_server dalvikcache_data_file:file execute;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+allow system_server zygote_tmpfs:file read;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+# This should be deleted after b/12061011 is fixed
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+
+#line 29
+typeattribute system_server netdomain;
+#line 29
+
+
+#line 30
+typeattribute system_server bluetoothdomain;
+#line 30
+
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_module
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+};
+
+allow system_server self:capability2 block_suspend;
+
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system_server self:capability sys_ptrace;
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket *;
+
+# Kill apps.
+allow system_server appdomain:process { sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+
+# Read /proc data for apps.
+allow system_server appdomain:dir { open getattr read search ioctl };
+allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } };
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file { getattr open read ioctl lock };
+
+# WifiWatchdog uses a packet_socket
+allow system_server self:packet_socket *;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create;
+
+# Notify init of death.
+allow system_server init:process sigchld;
+
+# Talk to init and various daemons via sockets.
+
+#line 87
+allow system_server property_socket:sock_file write;
+#line 87
+allow system_server init:unix_stream_socket connectto;
+#line 87
+
+
+#line 88
+allow system_server qemud_socket:sock_file write;
+#line 88
+allow system_server qemud:unix_stream_socket connectto;
+#line 88
+
+
+#line 89
+allow system_server installd_socket:sock_file write;
+#line 89
+allow system_server installd:unix_stream_socket connectto;
+#line 89
+
+
+#line 90
+allow system_server lmkd_socket:sock_file write;
+#line 90
+allow system_server lmkd:unix_stream_socket connectto;
+#line 90
+
+
+#line 91
+allow system_server netd_socket:sock_file write;
+#line 91
+allow system_server netd:unix_stream_socket connectto;
+#line 91
+
+
+#line 92
+allow system_server vold_socket:sock_file write;
+#line 92
+allow system_server vold:unix_stream_socket connectto;
+#line 92
+
+
+#line 93
+allow system_server zygote_socket:sock_file write;
+#line 93
+allow system_server zygote:unix_stream_socket connectto;
+#line 93
+
+
+#line 94
+allow system_server keystore_socket:sock_file write;
+#line 94
+allow system_server keystore:unix_stream_socket connectto;
+#line 94
+
+
+#line 95
+allow system_server gps_socket:sock_file write;
+#line 95
+allow system_server gpsd:unix_stream_socket connectto;
+#line 95
+
+
+#line 96
+allow system_server racoon_socket:sock_file write;
+#line 96
+allow system_server racoon:unix_stream_socket connectto;
+#line 96
+
+
+#line 97
+allow system_server wpa_socket:sock_file write;
+#line 97
+allow system_server wpa:unix_dgram_socket sendto;
+#line 97
+
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+
+#line 103
+# Call the servicemanager and transfer references to it.
+#line 103
+allow system_server servicemanager:binder { call transfer };
+#line 103
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 103
+# all domains in domain.te.
+#line 103
+
+
+#line 104
+# Call the server domain and optionally transfer references to it.
+#line 104
+allow system_server binderservicedomain:binder { call transfer };
+#line 104
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 104
+allow binderservicedomain system_server:binder transfer;
+#line 104
+# Receive and use open files from the server.
+#line 104
+allow system_server binderservicedomain:fd use;
+#line 104
+
+
+#line 105
+# Call the server domain and optionally transfer references to it.
+#line 105
+allow system_server appdomain:binder { call transfer };
+#line 105
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 105
+allow appdomain system_server:binder transfer;
+#line 105
+# Receive and use open files from the server.
+#line 105
+allow system_server appdomain:fd use;
+#line 105
+
+
+#line 106
+# Call the server domain and optionally transfer references to it.
+#line 106
+allow system_server healthd:binder { call transfer };
+#line 106
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 106
+allow healthd system_server:binder transfer;
+#line 106
+# Receive and use open files from the server.
+#line 106
+allow system_server healthd:fd use;
+#line 106
+
+
+#line 107
+# Call the server domain and optionally transfer references to it.
+#line 107
+allow system_server dumpstate:binder { call transfer };
+#line 107
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 107
+allow dumpstate system_server:binder transfer;
+#line 107
+# Receive and use open files from the server.
+#line 107
+allow system_server dumpstate:fd use;
+#line 107
+
+
+#line 108
+typeattribute system_server binderservicedomain;
+#line 108
+
+
+# Read /proc/pid files for Binder clients.
+
+#line 111
+allow system_server appdomain:dir { open getattr read search ioctl };
+#line 111
+allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 111
+
+
+#line 112
+allow system_server mediaserver:dir { open getattr read search ioctl };
+#line 112
+allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock };
+#line 112
+
+allow system_server appdomain:process getattr;
+allow system_server mediaserver:process getattr;
+
+# Check SELinux permissions.
+
+#line 117
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 117
+allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 117
+allow system_server kernel:security compute_av;
+#line 117
+allow system_server self:netlink_selinux_socket *;
+#line 117
+
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } };
+allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
+
+# Access devices.
+allow system_server device:dir { open getattr read search ioctl };
+allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } };
+allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server graphics_device:dir search;
+allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server input_device:dir { open getattr read search ioctl };
+allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server video_device:dir { open getattr read search ioctl };
+allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } };
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Manage data files.
+allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read /file_contexts and /data/security/file_contexts
+
+#line 149
+allow system_server security_file:dir { open getattr read search ioctl };
+#line 149
+allow system_server security_file:file { getattr open read ioctl lock };
+#line 149
+allow system_server security_file:lnk_file { getattr open read ioctl lock };
+#line 149
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 149
+allow system_server selinuxfs:file { getattr open read ioctl lock };
+#line 149
+allow system_server rootfs:dir { open getattr read search ioctl };
+#line 149
+allow system_server rootfs:file { getattr open read ioctl lock };
+#line 149
+
+
+# Relabel apk files.
+
+#line 152
+typeattribute system_server relabeltodomain;
+#line 152
+
+allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } };
+
+# Relabel /data/anr.
+allow system_server system_data_file:dir relabelfrom;
+allow system_server anr_data_file:dir relabelto;
+
+# Property Service write
+allow system_server system_prop:property_service set;
+allow system_server radio_prop:property_service set;
+allow system_server debug_prop:property_service set;
+allow system_server powerctl_prop:property_service set;
+
+# ctl interface
+allow system_server ctl_default_prop:property_service set;
+
+# Create a socket for receiving info from wpa.
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+type_transition system_server wpa_socket:sock_file system_wpa_socket;
+allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Remove sockets created by wpa_supplicant
+allow system_server wpa_socket:sock_file unlink;
+
+# Create a socket for connections from debuggerd.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Specify any arguments to zygote.
+allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
+
+# Manage cache files.
+allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
+allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } };
+
+# Run system programs, e.g. dexopt.
+allow system_server system_file:file { getattr execute execute_no_trans };
+
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system_server domain:dir { open getattr read search ioctl };
+allow system_server domain:file { getattr open read ioctl lock };
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } };
+
+# Allow system_server to use app-created sockets.
+allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+
+# Allow abstract socket connection
+allow system_server rild:unix_stream_socket connectto;
+
+# connect to vpn tunnel
+allow system_server mtp:unix_stream_socket { connectto };
+
+# BackupManagerService lets PMS create a data backup file
+allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Relabel /data/backup
+allow system_server backup_data_file:dir { relabelto relabelfrom };
+# Relabel /cache/.*\.{data|restore}
+allow system_server cache_backup_file:file { relabelto relabelfrom };
+# LocalTransport creates and relabels /cache/backup
+allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server usb_device:dir { open getattr read search ioctl };
+
+# Allow system to talk to sensors
+allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file { getattr open read ioctl lock };
+
+# Access to wake locks
+allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+
+# Read and delete files under /dev/fscklogs.
+
+#line 239
+allow system_server fscklogs:dir { open getattr read search ioctl };
+#line 239
+allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock };
+#line 239
+
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# For SELinuxPolicyInstallReceiver
+
+#line 244
+
+#line 244
+allow system_server security_file:dir { open getattr read search ioctl };
+#line 244
+allow system_server security_file:file { getattr open read ioctl lock };
+#line 244
+allow system_server security_file:lnk_file { getattr open read ioctl lock };
+#line 244
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 244
+allow system_server selinuxfs:file { getattr open read ioctl lock };
+#line 244
+allow system_server rootfs:dir { open getattr read search ioctl };
+#line 244
+allow system_server rootfs:file { getattr open read ioctl lock };
+#line 244
+
+#line 244
+
+#line 244
+allow system_server property_socket:sock_file write;
+#line 244
+allow system_server init:unix_stream_socket connectto;
+#line 244
+
+#line 244
+allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+#line 244
+allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 244
+allow system_server security_file:lnk_file { create rename unlink };
+#line 244
+allow system_server security_prop:property_service set;
+#line 244
+
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { open append write };
+#line 1 "external/sepolicy/tee.te"
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+type tee_exec, exec_type, file_type;
+type tee_device, dev_type;
+type tee_data_file, file_type, data_file_type;
+
+
+#line 9
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow init tee_exec:file { getattr open read execute };
+#line 9
+allow init tee:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow tee tee_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow tee init:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit init tee:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow init tee:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition init tee_exec:process tee;
+#line 9
+
+#line 9
+
+#line 9
+type tee_tmpfs, file_type;
+#line 9
+type_transition tee tmpfs:file tee_tmpfs;
+#line 9
+allow tee tee_tmpfs:file { read write };
+#line 9
+
+#line 9
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow tee self:netlink_socket { create bind read };
+#line 1 "external/sepolicy/ueventd.te"
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+
+#line 4
+type ueventd_tmpfs, file_type;
+#line 4
+type_transition ueventd tmpfs:file ueventd_tmpfs;
+#line 4
+allow ueventd ueventd_tmpfs:file { read write };
+#line 4
+
+
+#line 5
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+#line 5
+allow ueventd klog_device:chr_file { create open write unlink };
+#line 5
+allow ueventd device:dir { write add_name remove_name };
+#line 5
+
+
+#line 6
+allow ueventd security_file:dir { open getattr read search ioctl };
+#line 6
+allow ueventd security_file:file { getattr open read ioctl lock };
+#line 6
+allow ueventd security_file:lnk_file { getattr open read ioctl lock };
+#line 6
+allow ueventd selinuxfs:dir { open getattr read search ioctl };
+#line 6
+allow ueventd selinuxfs:file { getattr open read ioctl lock };
+#line 6
+allow ueventd rootfs:dir { open getattr read search ioctl };
+#line 6
+allow ueventd rootfs:file { getattr open read ioctl lock };
+#line 6
+
+
+#line 7
+typeattribute ueventd relabeltodomain;
+#line 7
+
+allow ueventd rootfs:file entrypoint;
+allow ueventd init:process sigchld;
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } };
+allow ueventd sysfs:file setattr;
+allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } };
+allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { create setattr unlink };
+allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/unconfined.te"
+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:system *;
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
+allow unconfineddomain domain:fd *;
+allow unconfineddomain domain:dir { open getattr read search ioctl };
+allow unconfineddomain domain:lnk_file { getattr open read ioctl lock };
+allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
+allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *;
+allow unconfineddomain domain:{ sem msgq shm ipc } *;
+allow unconfineddomain domain:key *;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain node_type:node *;
+allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow unconfineddomain netif_type:netif *;
+allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind;
+allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
+allow unconfineddomain domain:peer recv;
+allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
+allow unconfineddomain property_type:property_service set;
+#line 1 "external/sepolicy/uncrypt.te"
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init uncrypt_exec:file { getattr open read execute };
+#line 5
+allow init uncrypt:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow uncrypt uncrypt_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow uncrypt init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init uncrypt:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init uncrypt:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init uncrypt_exec:process uncrypt;
+#line 5
+
+#line 5
+
+#line 5
+type uncrypt_tmpfs, file_type;
+#line 5
+type_transition uncrypt tmpfs:file uncrypt_tmpfs;
+#line 5
+allow uncrypt uncrypt_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute uncrypt mlstrustedsubject;
+#line 6
+typeattribute uncrypt unconfineddomain;
+#line 6
+
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+
+#line 11
+allow uncrypt app_data_file:dir { open getattr read search ioctl };
+#line 11
+allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 11
+
+
+#line 16
+
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Set a property to reboot the device.
+
+#line 25
+allow uncrypt property_socket:sock_file write;
+#line 25
+allow uncrypt init:unix_stream_socket connectto;
+#line 25
+
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file { open append write };
+#line 1 "external/sepolicy/untrusted_app.te"
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+
+#line 13
+typeattribute untrusted_app mlstrustedsubject;
+#line 13
+typeattribute untrusted_app unconfineddomain;
+#line 13
+
+
+#line 14
+typeattribute untrusted_app appdomain;
+#line 14
+# Label ashmem objects with our own unique type.
+#line 14
+
+#line 14
+type untrusted_app_tmpfs, file_type;
+#line 14
+type_transition untrusted_app tmpfs:file untrusted_app_tmpfs;
+#line 14
+allow untrusted_app untrusted_app_tmpfs:file { read write };
+#line 14
+
+#line 14
+# Map with PROT_EXEC.
+#line 14
+allow untrusted_app untrusted_app_tmpfs:file execute;
+#line 14
+
+
+#line 15
+typeattribute untrusted_app netdomain;
+#line 15
+
+
+#line 16
+typeattribute untrusted_app bluetoothdomain;
+#line 16
+
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Internal SDCard rw access.
+allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# External SDCard rw access.
+allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# ASEC
+allow untrusted_app asec_apk_file:dir { getattr };
+allow untrusted_app asec_apk_file:file { getattr open read ioctl lock };
+# Execute libs in asec containers.
+allow untrusted_app asec_public_file:file execute;
+
+# Create tcp/udp sockets
+allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
+allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen };
+# Bind to a particular hostname/address/interface (e.g., localhost) instead of
+# ANY. Normally, apps should not be listening on all interfaces.
+allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+
+#line 47
+# Each domain gets a unique devpts type.
+#line 47
+type untrusted_app_devpts, fs_type;
+#line 47
+# Label the pty with the unique type when created.
+#line 47
+type_transition untrusted_app devpts:chr_file untrusted_app_devpts;
+#line 47
+# Allow use of the pty after creation.
+#line 47
+allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl };
+#line 47
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+#line 47
+# allowed to everyone via domain.te.
+#line 47
+
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app shell_data_file:file { getattr open read ioctl lock };
+allow untrusted_app shell_data_file:dir { open getattr read search ioctl };
+#line 1 "external/sepolicy/vold.te"
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init vold_exec:file { getattr open read execute };
+#line 5
+allow init vold:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow vold vold_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow vold init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init vold:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init vold:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init vold_exec:process vold;
+#line 5
+
+#line 5
+
+#line 5
+type vold_tmpfs, file_type;
+#line 5
+type_transition vold tmpfs:file vold_tmpfs;
+#line 5
+allow vold vold_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+typeattribute vold mlstrustedsubject;
+allow vold system_file:file { getattr execute execute_no_trans };
+allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold device:dir write;
+allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold tmpfs:dir mounton;
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket *;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } };
+allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir { open getattr read search ioctl };
+allow vold domain:{ file lnk_file } { getattr open read ioctl lock };
+allow vold domain:process { signal sigkill };
+allow vold self:capability { sys_ptrace kill };
+
+# For blkid
+allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+
+#line 39
+type_transition vold device:chr_file klog_device "__kmsg__";
+#line 39
+allow vold klog_device:chr_file { create open write unlink };
+#line 39
+allow vold device:dir { write add_name remove_name };
+#line 39
+
+
+# Log fsck results
+allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Set property.
+
+#line 50
+allow vold property_socket:sock_file write;
+#line 50
+allow vold init:unix_stream_socket connectto;
+#line 50
+
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file { { getattr open read ioctl lock } { open append write } };
+
+# Create and mount on /data/tmp_mnt.
+allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton };
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# Property Service
+allow vold vold_prop:property_service set;
+allow vold powerctl_prop:property_service set;
+allow vold ctl_default_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+
+#line 73
+allow vold security_file:dir { open getattr read search ioctl };
+#line 73
+allow vold security_file:file { getattr open read ioctl lock };
+#line 73
+allow vold security_file:lnk_file { getattr open read ioctl lock };
+#line 73
+allow vold selinuxfs:dir { open getattr read search ioctl };
+#line 73
+allow vold selinuxfs:file { getattr open read ioctl lock };
+#line 73
+allow vold rootfs:dir { open getattr read search ioctl };
+#line 73
+allow vold rootfs:file { getattr open read ioctl lock };
+#line 73
+
+
+#line 74
+typeattribute vold relabeltodomain;
+#line 74
+
+allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom };
+allow vold asec_public_file:file { relabelto setattr };
+
+# Handle wake locks (used for device encryption)
+allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+allow vold self:capability2 block_suspend;
+#line 1 "external/sepolicy/watchdogd.te"
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } };
+allow watchdogd self:capability mknod;
+allow watchdogd device:dir { add_name write remove_name };
+allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# because of /dev/__kmsg__ and /dev/__null__
+
+#line 8
+type_transition watchdogd device:chr_file klog_device "__kmsg__";
+#line 8
+allow watchdogd klog_device:chr_file { create open write unlink };
+#line 8
+allow watchdogd device:dir { write add_name remove_name };
+#line 8
+
+type_transition watchdogd device:chr_file null_device "__null__";
+allow watchdogd null_device:chr_file { create unlink };
+#line 1 "external/sepolicy/wpa_supplicant.te"
+# wpa - wpa supplicant or equivalent
+type wpa, domain;
+type wpa_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init wpa_exec:file { getattr open read execute };
+#line 5
+allow init wpa:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow wpa wpa_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow wpa init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init wpa:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init wpa:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init wpa_exec:process wpa;
+#line 5
+
+#line 5
+
+#line 5
+type wpa_tmpfs, file_type;
+#line 5
+type_transition wpa tmpfs:file wpa_tmpfs;
+#line 5
+allow wpa wpa_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+allow wpa kernel:system module_request;
+allow wpa self:capability { setuid net_admin setgid net_raw };
+allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow wpa self:netlink_route_socket *;
+allow wpa self:netlink_socket *;
+allow wpa self:packet_socket *;
+allow wpa self:udp_socket *;
+allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+#line 15
+allow wpa system_wpa_socket:sock_file write;
+#line 15
+allow wpa system_server:unix_dgram_socket sendto;
+#line 15
+
+allow wpa random_device:chr_file { getattr open read ioctl lock };
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr };
+allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which wpa supplicant communicates with.
+#line 27
+
+#line 1 "external/sepolicy/zygote.te"
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init zygote_exec:file { getattr open read execute };
+#line 5
+allow init zygote:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow zygote zygote_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow zygote init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init zygote:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init zygote:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init zygote_exec:process zygote;
+#line 5
+
+#line 5
+
+#line 5
+type zygote_tmpfs, file_type;
+#line 5
+type_transition zygote tmpfs:file zygote_tmpfs;
+#line 5
+allow zygote zygote_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute zygote mlstrustedsubject;
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid fowner };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow zygote system_server:process dyntransition;
+allow zygote appdomain:process dyntransition;
+# Allow zygote to read app /proc/pid dirs (b/10455872)
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { { getattr open read ioctl lock } };
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+# Write to system data.
+allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# For art.
+allow zygote dalvikcache_data_file:file execute;
+# Execute dexopt.
+allow zygote system_file:file { getattr execute execute_no_trans };
+# Control cgroups.
+allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow zygote self:capability sys_admin;
+# Check validity of SELinux context before use.
+
+#line 33
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 33
+allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 33
+allow zygote kernel:security check_context;
+#line 33
+
+# Check SELinux permissions.
+
+#line 35
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 35
+allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 35
+allow zygote kernel:security compute_av;
+#line 35
+allow zygote self:netlink_selinux_socket *;
+#line 35
+
+# Read /seapp_contexts and /data/security/seapp_contexts
+
+#line 37
+allow zygote security_file:dir { open getattr read search ioctl };
+#line 37
+allow zygote security_file:file { getattr open read ioctl lock };
+#line 37
+allow zygote security_file:lnk_file { getattr open read ioctl lock };
+#line 37
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 37
+allow zygote selinuxfs:file { getattr open read ioctl lock };
+#line 37
+allow zygote rootfs:dir { open getattr read search ioctl };
+#line 37
+allow zygote rootfs:file { getattr open read ioctl lock };
+#line 37
+
+
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton search };
+allow zygote tmpfs:filesystem mount;
+allow zygote labeledfs:filesystem remount;
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file { execute_no_trans open };
+
+# handle bugreports b/10498304
+allow zygote ashmem_device:chr_file execute;
+allow zygote shell_data_file:file { write getattr };
+allow zygote system_server:binder { transfer call };
+allow zygote servicemanager:binder { call };
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;
+#line 1 "build/target/board/generic/sepolicy/bootanim.te"
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#line 1 "build/target/board/generic/sepolicy/domain.te"
+# For /sys/qemu_trace files in the emulator.
+allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } };
+#line 1 "build/target/board/generic/sepolicy/surfaceflinger.te"
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
+#line 1 "external/sepolicy/roles"
+role r;
+role r types domain;
+#line 1 "external/sepolicy/users"
+user u roles { r } level s0 range s0 - s0:c0.c1023;
+#line 1 "external/sepolicy/initial_sid_contexts"
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
+#line 1 "external/sepolicy/fs_use"
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
+#line 1 "external/sepolicy/genfs_contexts"
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:sdcard_external:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:sdcard_internal:s0
+#line 1 "external/sepolicy/port_contexts"
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/tools/selinux/src/gen_SELinux_CTS.py b/tools/selinux/src/gen_SELinux_CTS.py
new file mode 100755
index 0000000..85d49a8
--- /dev/null
+++ b/tools/selinux/src/gen_SELinux_CTS.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+# genCheckAccessCTS.py - takes an input SELinux policy.conf file and generates
+# an XML file based on the allow and neverallow rules. The file contains rules,
+# which are created by expanding the SELinux rule notation into the individual
+# components which a checkAccess() check, that a policy manager would have to
+# perform, needs.
+#
+# This test does not work with all valid SELinux policy.conf files. It is meant
+# to simply use a given AOSP generated policy.conf file to create sets
+# representing the policy's types, attributes, classes and permissions, which
+# are used to expand the allow and neverallow rules found. For a full parser
+# and compiler of SELinux, see external/checkpolicy.
+# @dcashman
+
+import pdb
+import re
+import sys
+from xml.etree.ElementTree import Element, SubElement, tostring
+from xml.dom import minidom
+
+import SELinux_CTS
+from SELinux_CTS import SELinuxPolicy
+
+usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file neverallow_only=[t/f]"
+
+if __name__ == "__main__":
+ # check usage
+ if len(sys.argv) != 4:
+ print usage
+ exit()
+ input_file = sys.argv[1]
+ output_file = sys.argv[2]
+ neverallow_only = (sys.argv[3] == "neverallow_only=t")
+ policy = SELinuxPolicy()
+ policy.from_file_name(input_file) #load data from file
+
+ # expand rules into 4-tuples for SELinux.h checkAccess() check
+ xml_root = Element('SELinux_AVC_Rules')
+ if not neverallow_only:
+ count = 1
+ for a in policy.allow_rules:
+ expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
+ if len(expanded_xml):
+ xml_root.append(expanded_xml)
+ count += 1
+ count = 1
+ for n in policy.neverallow_rules:
+ expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
+ if len(expanded_xml):
+ xml_root.append(expanded_xml)
+ count += 1
+
+ #print out the xml file
+ s = tostring(xml_root)
+ s_parsed = minidom.parseString(s)
+ output = s_parsed.toprettyxml(indent=" ")
+ with open(output_file, 'w') as out_file:
+ out_file.write(output)
diff --git a/tools/selinux/test/policy_clean_test.conf b/tools/selinux/test/policy_clean_test.conf
new file mode 100644
index 0000000..074a63b
--- /dev/null
+++ b/tools/selinux/test/policy_clean_test.conf
@@ -0,0 +1,2230 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class capability
+
+# file-related classes
+class file
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+######################################
+# Attribute declarations
+#
+
+# All types used for processes.
+attribute domain;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+permissive bluetooth;
+
+#line 4
+typeattribute bluetooth appdomain;
+
+#line 5
+typeattribute bluetooth unconfineddomain;
+#line 5
+
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+permissive healthd;
+type healthd_exec, exec_type, file_type;
+
+# New domain is entered by executing the file.
+#line 7
+allow healthd healthd_exec:file { entrypoint read execute };
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+
+# Added to make the neverallow rule make sense in a limited environment.
+# Added at the bottom to not throw off file seek numbers in test suite.
+# This is not a problem, because allow rules are processed after all types
+# are gathered.
+type testTYPE, appdomain, domain;
diff --git a/tools/selinux/test/policy_test.conf b/tools/selinux/test/policy_test.conf
new file mode 100644
index 0000000..d0962cd
--- /dev/null
+++ b/tools/selinux/test/policy_test.conf
@@ -0,0 +1,2244 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class capability
+
+# file-related classes
+class file
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+######################################
+# Attribute declarations
+#
+
+# All types used for processes.
+attribute domain;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+permissive bluetooth;
+
+#line 4
+typeattribute bluetooth appdomain;
+
+#line 5
+typeattribute bluetooth unconfineddomain;
+#line 5
+
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+permissive healthd;
+type healthd_exec, exec_type, file_type;
+
+# New domain is entered by executing the file.
+#line 7
+allow healthd healthd_exec:file { entrypoint read execute };
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+
+# Added to make the neverallow rule make sense in a limited environment.
+# Added at the bottom to not throw off file seek numbers in test suite.
+# This is not a problem, because allow rules are processed after all types
+# are gathered.
+type testTYPE, appdomain, domain;
+
+# added rules for further testing (display full range of needed functionality)
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
+
+allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+
+neverallow { appdomain -unconfineddomain } {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ gps_device
+ rpmsg_device
+}:chr_file { read write };
\ No newline at end of file
diff --git a/tools/selinux/test/testrunner.py b/tools/selinux/test/testrunner.py
new file mode 100755
index 0000000..bc424e9
--- /dev/null
+++ b/tools/selinux/test/testrunner.py
@@ -0,0 +1,442 @@
+#!/usr/bin/python
+import sys
+sys.path.append('../src')
+import unittest
+import SELinux_CTS
+from SELinux_CTS import SELinuxPolicy
+
+policy_file_name = 'policy_test.conf'
+types = set([
+ 'bluetooth',
+ 'healthd',
+ 'healthd_exec',
+ 'testTYPE' ]) #testTYPE added for neverallow rule to make sense
+attributes = {
+ 'domain': set(['bluetooth', 'healthd', 'testTYPE']),
+ 'unconfineddomain': set(['bluetooth']),
+ 'appdomain': set(['bluetooth', 'testTYPE']),
+ 'file_type': set(['healthd_exec']),
+ 'exec_type': set(['healthd_exec']) }
+common_classes = {
+ 'file': set([
+ 'ioctl',
+ 'read',
+ 'write',
+ 'create',
+ 'getattr',
+ 'setattr',
+ 'lock',
+ 'relabelfrom',
+ 'relabelto',
+ 'append',
+ 'unlink',
+ 'link',
+ 'rename',
+ 'execute',
+ 'swapon',
+ 'quotaon',
+ 'mounton' ]) }
+classes = {
+ 'capability': set([
+ 'chown',
+ 'dac_override',
+ 'dac_read_search',
+ 'fowner',
+ 'fsetid',
+ 'kill',
+ 'setgid',
+ 'setuid',
+ 'setpcap',
+ 'linux_immutable',
+ 'net_bind_service',
+ 'net_broadcast',
+ 'net_admin',
+ 'net_raw',
+ 'ipc_lock',
+ 'ipc_owner',
+ 'sys_module',
+ 'sys_rawio',
+ 'sys_chroot',
+ 'sys_ptrace',
+ 'sys_pacct',
+ 'sys_admin',
+ 'sys_boot',
+ 'sys_nice',
+ 'sys_resource',
+ 'sys_time',
+ 'sys_tty_config',
+ 'mknod',
+ 'lease',
+ 'audit_write',
+ 'audit_control',
+ 'setfcap' ]),
+ 'file': (set([
+ 'execute_no_trans',
+ 'entrypoint',
+ 'execmod',
+ 'open',
+ 'audit_access' ]) | common_classes['file']) }
+
+# allow healthd healthd_exec:file { entrypoint read execute };
+allow_rules = [
+ { 'source_types': {
+ 'set': set([
+ 'healthd']),
+ 'flags': { 'complement': False } },
+ 'target_types': {
+ 'set': set([
+ 'healthd_exec']),
+ 'flags': { 'complement': False } },
+ 'classes': {
+ 'set': set([
+ 'file']),
+ 'flags': { 'complement': False } },
+ 'permissions': {
+ 'set': set([
+ 'entrypoint',
+ 'read',
+ 'execute' ]),
+ 'flags': { 'complement': False } } } ]
+
+# neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow_rules = [
+ { 'source_types': {
+ 'set': set([
+ 'appdomain',
+ '-unconfineddomain',
+ '-bluetooth' ]),
+ 'flags': { 'complement': False } },
+ 'target_types': {
+ 'set': set([
+ 'self']),
+ 'flags': { 'complement': False } },
+ 'classes': {
+ 'set': set([
+ 'capability']),
+ 'flags': { 'complement': False } },
+ 'permissions': {
+ 'set': set([
+ '*' ]),
+ 'flags': { 'complement': False } } } ]
+
+expected_final_allow_list = [
+ [ ('healthd', 'healthd_exec', 'file', 'entrypoint'),
+ ('healthd', 'healthd_exec', 'file', 'read'),
+ ('healthd', 'healthd_exec', 'file', 'execute') ] ]
+
+expected_final_neverallow_list = [
+ [ ('testTYPE', 'testTYPE', 'capability', 'chown'),
+ ('testTYPE', 'testTYPE', 'capability', 'dac_override'),
+ ('testTYPE', 'testTYPE', 'capability', 'dac_read_search'),
+ ('testTYPE', 'testTYPE', 'capability', 'fowner'),
+ ('testTYPE', 'testTYPE', 'capability', 'fsetid'),
+ ('testTYPE', 'testTYPE', 'capability', 'kill'),
+ ('testTYPE', 'testTYPE', 'capability', 'setgid'),
+ ('testTYPE', 'testTYPE', 'capability', 'setuid'),
+ ('testTYPE', 'testTYPE', 'capability', 'setpcap'),
+ ('testTYPE', 'testTYPE', 'capability', 'linux_immutable'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_bind_service'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_broadcast'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_admin'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_raw'),
+ ('testTYPE', 'testTYPE', 'capability', 'ipc_lock'),
+ ('testTYPE', 'testTYPE', 'capability', 'ipc_owner'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_module'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_rawio'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_chroot'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_ptrace'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_pacct'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_admin'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_boot'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_nice'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_resource'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_time'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_tty_config'),
+ ('testTYPE', 'testTYPE', 'capability', 'mknod'),
+ ('testTYPE', 'testTYPE', 'capability', 'lease'),
+ ('testTYPE', 'testTYPE', 'capability', 'audit_write'),
+ ('testTYPE', 'testTYPE', 'capability', 'audit_control'),
+ ('testTYPE', 'testTYPE', 'capability', 'setfcap') ] ]
+
+
+class SELinuxPolicyTests(unittest.TestCase):
+
+
+ def setUp(self):
+ self.test_policy = SELinuxPolicy()
+ self.test_file = open(policy_file_name, 'r')
+ self.test_policy.types = types
+ self.test_policy.attributes = attributes
+ self.test_policy.common_classes = common_classes
+ self.test_policy.classes = classes
+ self.test_policy.allow_rules = allow_rules
+ self.test_policy.neverallow_rules = neverallow_rules
+ return
+
+ def testExpandAvcRule(self):
+ #TODO: add more examples here to cover different cases
+ expanded_allow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.allow_rules[0])
+ for a in expected_final_allow_list[0]:
+ self.failUnless(a in expanded_allow_list)
+ expanded_neverallow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.neverallow_rules[0])
+ for n in expected_final_neverallow_list[0]:
+ self.failUnless(n in expanded_neverallow_list)
+
+ def testExpandBrackets(self):
+ #test position without bracket:
+ self.test_file.seek(279)
+ self.failIf(SELinux_CTS.expand_brackets(self.test_file))
+
+ #test position with bracket:
+ self.test_file.seek(26123)
+ self.failUnless(SELinux_CTS.expand_brackets(self.test_file) == " entrypoint read execute ")
+
+ #test position with nested brackets:
+ self.test_file.seek(26873)
+ self.failUnless(SELinux_CTS.expand_brackets(self.test_file)
+ == " dir chr_file blk_file file lnk_file sock_file fifo_file ")
+
+ def testGetAvcRuleComponent(self):
+ #test against normal ('allow healthd healthd_exec:file ...)
+ self.test_file.seek(26096)
+ normal_src = { 'flags': { 'complement': False },
+ 'set': set(['healthd']) }
+ normal_tgt = { 'flags': { 'complement': False },
+ 'set': set(['healthd_exec']) }
+ normal_class = { 'flags': { 'complement': False },
+ 'set': set(['file']) }
+ normal_perm = { 'flags': { 'complement': False },
+ 'set': set(['entrypoint', 'read', 'execute']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_tgt)
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_perm)
+
+ #test against 'hard' ('init {fs_type ...' )
+ self.test_file.seek(26838)
+ hard_src = { 'flags': { 'complement': False },
+ 'set': set(['init']) }
+ hard_tgt = { 'flags': { 'complement': False },
+ 'set': set(['fs_type', 'dev_type', 'file_type']) }
+ hard_class = { 'flags': { 'complement': False },
+ 'set': set(['dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file', 'fifo_file']) }
+ hard_perm = { 'flags': { 'complement': False },
+ 'set': set(['relabelto']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_tgt)
+ #mimic ':' check:
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_perm)
+
+ #test against 'multi-line' ('init {fs_type ...' )
+ self.test_file.seek(26967)
+ multi_src = { 'flags': { 'complement': False },
+ 'set': set(['appdomain', '-unconfineddomain']) }
+ multi_tgt = { 'flags': { 'complement': False },
+ 'set': set(['audio_device', 'camera_device', 'dm_device', 'radio_device', 'gps_device', 'rpmsg_device']) }
+ multi_class = { 'flags': { 'complement': False },
+ 'set': set(['chr_file']) }
+ multi_perm = { 'flags': { 'complement': False },
+ 'set': set(['read', 'write']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_tgt)
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_perm)
+
+ #test against 'complement'
+ self.test_file.seek(26806)
+ complement = { 'flags': { 'complement': True },
+ 'set': set(['entrypoint', 'relabelto']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == complement)
+
+ def testGetLineType(self):
+ self.failUnless(SELinux_CTS.get_line_type('type bluetooth, domain;')
+ == SELinux_CTS.TYPE)
+ self.failUnless(SELinux_CTS.get_line_type('attribute unconfineddomain;')
+ == SELinux_CTS.ATTRIBUTE)
+ self.failUnless(SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;')
+ == SELinux_CTS.TYPEATTRIBUTE)
+ self.failUnless(SELinux_CTS.get_line_type('class file')
+ == SELinux_CTS.CLASS)
+ self.failUnless(SELinux_CTS.get_line_type('common file')
+ == SELinux_CTS.COMMON)
+ self.failUnless(SELinux_CTS.get_line_type('allow healthd healthd_exec:file { entrypoint read execute };')
+ == SELinux_CTS.ALLOW_RULE)
+ self.failUnless(SELinux_CTS.get_line_type('neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;')
+ == SELinux_CTS.NEVERALLOW_RULE)
+ self.failUnless(SELinux_CTS.get_line_type('# FLASK')
+ == SELinux_CTS.OTHER)
+
+ def testIsMultiLine(self):
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER))
+
+ def testProcessInheritsSegment(self):
+ inherit_offset = 448 # needs changing if file changes
+ self.test_file.seek(inherit_offset, 0)
+ inherit_result = SELinux_CTS.process_inherits_segment(self.test_file)
+ self.failUnless(inherit_result == 'file')
+ return
+
+ def testFromFileName(self):
+ #using a special file, since the test_file has some lines which don't 'jive'
+ clean_policy_file = 'policy_clean_test.conf'
+ from_file_policy = SELinuxPolicy()
+ from_file_policy.from_file_name(clean_policy_file)
+ self.failUnless(from_file_policy.types == self.test_policy.types)
+ self.failUnless(from_file_policy.attributes == self.test_policy.attributes)
+ self.failUnless(from_file_policy.classes == self.test_policy.classes)
+ self.failUnless(from_file_policy.common_classes == self.test_policy.common_classes)
+ self.failUnless(from_file_policy.allow_rules == self.test_policy.allow_rules)
+ self.failUnless(from_file_policy.neverallow_rules == self.test_policy.neverallow_rules)
+
+ def testExpandPermissions(self):
+ #test general case
+ test_class_obj = 'file'
+ general_set = set(['read', 'write', 'execute'])
+ expanded_general_set = general_set
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, general_set)
+ == general_set)
+ star_set = set(['*'])
+ expanded_star_set = self.test_policy.classes['file'] #everything in the class
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, star_set)
+ == expanded_star_set)
+ complement_set = set(['*', '-open'])
+ expanded_complement_set = self.test_policy.classes['file'] - set(['open'])
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, complement_set)
+ == expanded_complement_set)
+
+ def testExpandTypes(self):
+
+ #test general case and '-' handling
+ test_source_set = set([
+ 'domain',
+ '-bluetooth' ])
+ expanded_test_source_set = set([
+ 'healthd', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
+
+ #test '*' handling
+ test_source_set = set([ '*' ])
+ expanded_test_source_set = set([
+ 'bluetooth', 'healthd', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == types)
+ #test - handling
+ test_source_set = set([
+ '*',
+ '-bluetooth'])
+ expanded_test_source_set = set([
+ 'healthd', 'healthd_exec', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
+
+ def testProcessAttributeLine(self):
+ attribute_policy = SELinuxPolicy()
+ #test with 'normal input'
+ test_normal_string = 'attribute TEST_att;'
+ test_attribute = 'TEST_att'
+ attribute_policy.process_attribute_line(test_normal_string)
+ self.failUnless( test_attribute in attribute_policy.attributes)
+ #TODO: test on bogus inputs
+
+ def testProcessClassLine(self):
+ class_policy = SELinuxPolicy()
+ #offsets need changing if test file changes
+ common_offset = 279
+ class_initial_offset = 212
+ class_perm_offset = 437
+ self.test_file.seek(common_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_common_line(line, self.test_file)
+ self.test_file.seek(class_initial_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_class_line(line, self.test_file)
+ self.failUnless('file' in class_policy.classes)
+ self.test_file.seek(class_perm_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_class_line(line, self.test_file)
+ self.failUnless(class_policy.classes['file'] == classes['file'])
+
+ def testProcessCommonLine(self):
+ common_policy = SELinuxPolicy()
+ common_offset = 279 # needs changing if file changes
+ self.test_file.seek(common_offset, 0)
+ line = self.test_file.readline()
+ common_policy.process_common_line(line, self.test_file)
+ self.failUnless('file' in common_policy.common_classes )
+ self.failUnless(common_policy.common_classes['file'] == common_classes['file'])
+
+ def testProcessAvcRuleLine(self):
+ avc_policy = SELinuxPolicy()
+ allow_offset = 26091 # needs changing if file changes
+ neverallow_offset = 26311 # needs changing if file changes
+ self.test_file.seek(allow_offset, 0)
+ line = self.test_file.readline()
+ avc_policy.process_avc_rule_line(line, self.test_file)
+ self.failUnless(avc_policy.allow_rules[0] == allow_rules[0] ) # always '0'?
+ self.test_file.seek(neverallow_offset, 0)
+ line = self.test_file.readline()
+ avc_policy.process_avc_rule_line(line, self.test_file)
+ self.failUnless(avc_policy.neverallow_rules[0] == neverallow_rules[0] ) # always '0'?
+
+ def testProcessTypeLine(self):
+ type_policy = SELinuxPolicy()
+ test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;'
+ test_type = 'TEST_type'
+ test_atts = ['TEST_att1', 'TEST_att2']
+ #test with 'normal input'
+ type_policy.process_type_line(test_normal_string)
+ self.failUnless(test_type in type_policy.types)
+ for a in test_atts:
+ self.failUnless(a in type_policy.attributes)
+ self.failUnless(test_type in type_policy.attributes[a])
+ #TODO: test with domain only, no attributes
+ # and test on bogus inputs
+
+ def testProcessTypeattributeLine(self):
+ typ_att_policy = SELinuxPolicy()
+ test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;'
+ test_type = 'TEST_type'
+ test_atts = ['TEST_att1', 'TEST_att2']
+ #test with 'normal input' (type should already be declared)
+ typ_att_policy.process_type_line('type ' + test_type + ';')
+ typ_att_policy.process_typeattribute_line(test_normal_string)
+ self.failUnless(test_type in typ_att_policy.types)
+ for a in test_atts:
+ self.failUnless(a in typ_att_policy.attributes)
+ self.failUnless(test_type in typ_att_policy.attributes[a])
+ #TODO: test with domain only, no attributes
+ # and test on bogus inputs
+
+def main():
+ unittest.main()
+
+if __name__ == '__main__':
+ main()
diff --git a/tools/tradefed-host/res/report/cts_result.xsl b/tools/tradefed-host/res/report/cts_result.xsl
index 3c914dc..7bc216b 100644
--- a/tools/tradefed-host/res/report/cts_result.xsl
+++ b/tools/tradefed-host/res/report/cts_result.xsl
@@ -339,8 +339,7 @@
<TD class="rowtitle">Host Info</TD>
<TD>
<xsl:value-of select="TestResult/HostInfo/@name"/>
- (<xsl:value-of select="TestResult/HostInfo/Os/@name"/> -
- <xsl:value-of select="TestResult/HostInfo/Os/@version"/>)
+ (<xsl:value-of select="TestResult/HostInfo/Os/@name"/> - <xsl:value-of select="TestResult/HostInfo/Os/@version"/>)
</TD>
</TR>
<TR>
@@ -467,7 +466,9 @@
<TD class="package" colspan="3">
<xsl:variable name="href"><xsl:value-of select="@appPackageName"/></xsl:variable>
<a name="{$href}">Compatibility Test Package: <xsl:value-of select="@appPackageName"/>
- abi: <xsl:value-of select="@abi"/>
+ <xsl:if test="@abi">
+ ABI: <xsl:value-of select="@abi"/>
+ </xsl:if>
</a>
</TD>
</TR>
@@ -512,7 +513,7 @@
<xsl:if test="@result='pass'">
<TD class="pass">
<div style="text-align: center; margin-left:auto; margin-right:auto;">
- known problem
+ Known problem
</div>
</TD>
<TD class="failuredetails"></TD>
@@ -585,7 +586,7 @@
</DIV>
</xsl:template>
- <!-- Take a delimited string and insert line breaks after a some number of elements. -->
+ <!-- Take a delimited string and insert line breaks after a some number of elements. -->
<xsl:template name="formatDelimitedString">
<xsl:param name="string" />
<xsl:param name="numTokensPerRow" select="10" />
@@ -595,7 +596,7 @@
<xsl:variable name="token" select="substring-before($string, ';')" />
<xsl:value-of select="$token" />
<xsl:text> </xsl:text>
-
+
<xsl:if test="$tokenIndex mod $numTokensPerRow = 0">
<br />
</xsl:if>
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/CtsTest.java b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/CtsTest.java
index a91fdca..6d617ea 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/CtsTest.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/CtsTest.java
@@ -663,20 +663,7 @@
}
} else if (mClassName != null) {
Log.i(LOG_TAG, String.format("Executing CTS test class %s", mClassName));
- // try to find packages to run from class name
- List<String> packageIds = testRepo.findPackageIdsForTest(mClassName);
- if (!packageIds.isEmpty()) {
- for (String packageId: packageIds) {
- ITestPackageDef testPackageDef = testRepo.getTestPackage(packageId);
- if (testPackageDef != null) {
- testPackageDef.setClassName(mClassName, mMethodName);
- testPkgDefs.add(testPackageDef);
- }
- }
- } else {
- Log.logAndDisplay(LogLevel.WARN, LOG_TAG, String.format(
- "Could not find package for test class %s", mClassName));
- }
+ testPkgDefs.addAll(buildTestPackageDefSet(testRepo, mClassName, mMethodName));
} else if (mTestName != null) {
Log.i(LOG_TAG, String.format("Executing CTS test %s", mTestName));
String [] split = mTestName.split("#");
@@ -686,20 +673,7 @@
} else {
String className = split[0];
String methodName = split[1];
- // try to find packages to run from class name
- List<String> packageIds = testRepo.findPackageIdsForTest(className);
- if (!packageIds.isEmpty()) {
- for (String packageId: packageIds) {
- ITestPackageDef testPackageDef = testRepo.getTestPackage(packageId);
- if (testPackageDef != null) {
- testPackageDef.setClassName(className, methodName);
- testPkgDefs.add(testPackageDef);
- }
- }
- } else {
- Log.logAndDisplay(LogLevel.WARN, LOG_TAG, String.format(
- "Could not find package for test class %s", mTestName));
- }
+ testPkgDefs.addAll(buildTestPackageDefSet(testRepo, className, methodName));
}
} else if (mContinueSessionId != null) {
// create an in-memory derived plan that contains the notExecuted tests from previous
@@ -740,6 +714,29 @@
}
/**
+ * @return a {@link Set} containing {@ITestPackageDef}s pertaining to the given
+ * {@code className} and {@code methodName}.
+ */
+ private static Set<ITestPackageDef> buildTestPackageDefSet(
+ ITestPackageRepo testRepo, String className, String methodName) {
+ Set<ITestPackageDef> testPkgDefs = new LinkedHashSet<ITestPackageDef>();
+ // try to find packages to run from class name
+ List<String> packageIds = testRepo.findPackageIdsForTest(className);
+ if (packageIds.isEmpty()) {
+ Log.logAndDisplay(LogLevel.WARN, LOG_TAG, String.format(
+ "Could not find package for test class %s", className));
+ }
+ for (String packageId: packageIds) {
+ ITestPackageDef testPackageDef = testRepo.getTestPackage(packageId);
+ if (testPackageDef != null) {
+ testPackageDef.setClassName(className, methodName);
+ testPkgDefs.add(testPackageDef);
+ }
+ }
+ return testPkgDefs;
+ }
+
+ /**
* Return the list of unique prerequisite apks to install
* @param testPackages
*/
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageDef.java b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageDef.java
index 45c176a..2eccb50 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageDef.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageDef.java
@@ -60,9 +60,6 @@
public static final String UIAUTOMATOR_TEST = "uiAutomator";
public static final String JUNIT_DEVICE_TEST = "jUnitDeviceTest";
- private static final String SIGNATURE_TEST_METHOD = "testSignature";
- private static final String SIGNATURE_TEST_CLASS = "android.tests.sigtest.SignatureTest";
-
private String mAppPackageName = null;
private String mAppNameSpace = null;
private String mName = null;
@@ -70,7 +67,6 @@
private String mTestType = null;
private String mJarPath = null;
private String mRunTimeArgs = null;
- private boolean mIsSignatureTest = false;
private String mTestPackageName = null;
private String mDigest = null;
private IAbi mAbi = null;
@@ -176,14 +172,6 @@
return mJarPath;
}
- void setIsSignatureCheck(boolean isSignatureCheckTest) {
- mIsSignatureTest = isSignatureCheckTest;
- }
-
- boolean isSignatureCheck() {
- return mIsSignatureTest;
- }
-
void setTestPackageName(String testPackageName) {
mTestPackageName = testPackageName;
}
@@ -288,26 +276,6 @@
} else if (UIAUTOMATOR_TEST.equals(mTestType)) {
UiAutomatorJarTest uiautomatorTest = new UiAutomatorJarTest();
return setUiAutomatorTest(uiautomatorTest);
- } else if (mIsSignatureTest) {
- // TODO: hardcode the runner/class/method for now, since current package xml points to
- // specialized instrumentation. Eventually this special case for signatureTest can be
- // removed, and it can be treated just like a normal InstrumentationTest
- CLog.d("Creating signature test %s", mName);
- CtsInstrumentationApkTest instrTest = new CtsInstrumentationApkTest();
- instrTest.setPackageName(mAppNameSpace);
- instrTest.setRunnerName("android.test.InstrumentationTestRunner");
- instrTest.setClassName(SIGNATURE_TEST_CLASS);
- instrTest.setMethodName(SIGNATURE_TEST_METHOD);
- instrTest.setAbi(mAbi);
- mTests.clear();
- // set expected tests to the single signature test
- TestIdentifier t = new TestIdentifier(
- SIGNATURE_TEST_CLASS, SIGNATURE_TEST_METHOD);
- mTests.add(t);
- // mName means 'apk file name' for instrumentation tests
- instrTest.addInstallApk(String.format("%s.apk", mName), mAppNameSpace);
- mDigest = generateDigest(testCaseDir, String.format("%s.apk", mName));
- return instrTest;
} else if (JUNIT_DEVICE_TEST.equals(mTestType)){
CLog.d("Creating JUnit device test %s", mName);
JUnitDeviceTest jUnitDeviceTest = new JUnitDeviceTest();
@@ -438,7 +406,7 @@
}
/**
- * Get the collection of tests in this test package.
+ * {@inheritDoc}
*/
@Override
public Collection<TestIdentifier> getTests() {
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageRepo.java b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageRepo.java
index 4c549e2..ce91a8a 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageRepo.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageRepo.java
@@ -84,7 +84,14 @@
Set<TestPackageDef> defs = parser.getTestPackageDefs();
if (!defs.isEmpty()) {
for (TestPackageDef def : defs) {
- mTestMap.get(def.getAbi().getName()).put(def.getAppPackageName(), def);
+ String name = def.getAppPackageName();
+ String abi = def.getAbi().getName();
+ if (def.getTests().size() > 0) {
+ mTestMap.get(abi).put(name, def);
+ } else {
+ Log.i(LOG_TAG, String.format("No tests in %s for %s, skipping",
+ name, abi));
+ }
}
} else {
Log.w(LOG_TAG, String.format("Could not find test package info in xml file %s",
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageXmlParser.java b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageXmlParser.java
index 71279c7..8f4f1b0 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageXmlParser.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/testtype/TestPackageXmlParser.java
@@ -82,7 +82,6 @@
final String packageName = attributes.getValue("name");
final String runnerName = attributes.getValue("runner");
final String jarPath = attributes.getValue("jarPath");
- final boolean signatureCheck = parseBoolean(attributes.getValue("signatureCheck"));
final String javaPackageFilter = attributes.getValue("javaPackageFilter");
final String targetBinaryName = attributes.getValue("targetBinaryName");
final String targetNameSpace = attributes.getValue("targetNameSpace");
@@ -98,7 +97,6 @@
packageDef.setRunner(runnerName);
packageDef.setTestType(testType);
packageDef.setJarPath(jarPath);
- packageDef.setIsSignatureCheck(signatureCheck);
packageDef.setRunTimeArgs(runTimeArgs);
if (!"".equals(javaPackageFilter)) {
packageDef.setTestPackageName(javaPackageFilter);
diff --git a/tools/tradefed-host/tests/Android.mk b/tools/tradefed-host/tests/Android.mk
index 7d4ab4a..2734a5b 100644
--- a/tools/tradefed-host/tests/Android.mk
+++ b/tools/tradefed-host/tests/Android.mk
@@ -24,6 +24,4 @@
LOCAL_JAVA_LIBRARIES := tradefed-prebuilt cts-tradefed
LOCAL_STATIC_JAVA_LIBRARIES := easymock
-include $(BUILD_HOST_JAVA_LIBRARY)
-
-
+include $(BUILD_HOST_JAVA_LIBRARY)
\ No newline at end of file
diff --git a/tools/utils/buildCts.py b/tools/utils/buildCts.py
index cdd6e10..85adb0c 100755
--- a/tools/utils/buildCts.py
+++ b/tools/utils/buildCts.py
@@ -78,9 +78,6 @@
"""Generate test descriptions for all packages."""
pool = Pool(processes=2)
- # individually generate descriptions not following conventions
- pool.apply_async(GenerateSignatureCheckDescription, [self.test_repository])
-
# generate test descriptions for android tests
results = []
pool.close()
@@ -118,7 +115,7 @@
plan.Exclude('android\.performance.*')
self.__WritePlan(plan, 'SDK')
- plan.Exclude(r'android\.tests\.sigtest')
+ plan.Exclude(r'android\.signature')
plan.Exclude(r'android\.core.*')
self.__WritePlan(plan, 'Android')
@@ -137,10 +134,6 @@
self.__WritePlan(plan, 'VM-TF')
plan = tools.TestPlan(packages)
- plan.Include(r'android\.tests\.sigtest')
- self.__WritePlan(plan, 'Signature')
-
- plan = tools.TestPlan(packages)
plan.Include(r'android\.tests\.appsecurity')
self.__WritePlan(plan, 'AppSecurity')
@@ -328,6 +321,7 @@
'android.rscpp' : [],
'android.rsg' : [],
'android.sax' : [],
+ 'android.signature' : [],
'android.speech' : [],
'android.tests.appsecurity' : [],
'android.text' : [],
@@ -370,7 +364,7 @@
'android.location2' : [],
'android.print' : [],
'android.renderscriptlegacy' : [],
- 'android.tests.sigtest' : [],
+ 'android.signature' : [],
'android.tv' : [],
'android.uiautomation' : [],
'android.uirendering' : [],
@@ -434,18 +428,6 @@
def LogGenerateDescription(name):
print 'Generating test description for package %s' % name
-def GenerateSignatureCheckDescription(test_repository):
- """Generate the test description for the signature check."""
- LogGenerateDescription('android.tests.sigtest')
- package = tools.TestPackage('SignatureTest', 'android.tests.sigtest')
- package.AddAttribute('appNameSpace', 'android.tests.sigtest')
- package.AddAttribute('signatureCheck', 'true')
- package.AddAttribute('runner', '.InstrumentationRunner')
- package.AddTest('android.tests.sigtest.SignatureTest.testSignature')
- description = open(os.path.join(test_repository, 'SignatureTest.xml'), 'w')
- package.WriteDescription(description)
- description.close()
-
if __name__ == '__main__':
builder = CtsBuilder(sys.argv)
result = builder.GenerateTestDescriptions()