Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # |
| 2 | # Rules to allow the Android CTS to run. |
| 3 | # Do not enable in production policy. |
| 4 | # |
| 5 | |
| 6 | bool android_cts false; |
| 7 | if (android_cts) { |
| 8 | # Reads /proc/pid entries to check that no unexpected root |
| 9 | # processes are running. |
| 10 | allow appdomain domain:dir r_dir_perms; |
| 11 | allow appdomain domain:{ file lnk_file } r_file_perms; |
| 12 | |
| 13 | # Will still fail when trying to read other app /proc/pid |
| 14 | # entries due to MLS constraints. Just silence the denials. |
| 15 | dontaudit appdomain appdomain:dir r_dir_perms; |
| 16 | dontaudit appdomain appdomain:file r_file_perms; |
| 17 | |
| 18 | # Walk the file tree, stat any file. |
| 19 | allow appdomain file_type:dir r_dir_perms; |
| 20 | allow appdomain fs_type:dir r_dir_perms; |
| 21 | allow appdomain dev_type:dir r_dir_perms; |
| 22 | allow appdomain file_type:dir_file_class_set getattr; |
| 23 | allow appdomain dev_type:dir_file_class_set getattr; |
| 24 | allow appdomain fs_type:dir_file_class_set getattr; |
| 25 | |
| 26 | # Execute the shell or other system executables. |
| 27 | allow appdomain shell_exec:file rx_file_perms; |
| 28 | allow appdomain system_file:file rx_file_perms; |
| 29 | |
| 30 | # Read routing information. |
| 31 | allow netdomain self:netlink_route_socket { create read write nlmsg_read }; |
| 32 | |
| 33 | # Tries to open /dev/alarm for writing but expects failure. |
| 34 | dontaudit appdomain alarm_device:chr_file write; |
| 35 | |
| 36 | # Tries to create and use a netlink kobject uevent socket |
| 37 | # to test for a vulnerable vold. |
| 38 | dontaudit appdomain self:netlink_kobject_uevent_socket create; |
| 39 | |
| 40 | # Tries to override DAC restrictions but expects to fail. |
| 41 | dontaudit shell self:capability dac_override; |
| 42 | } |