# # Rules to allow the Android CTS to run. # Do not enable in production policy. # bool android_cts false; if (android_cts) { # Reads /proc/pid entries to check that no unexpected root # processes are running. allow appdomain domain:dir r_dir_perms; allow appdomain domain:{ file lnk_file } r_file_perms; # Will still fail when trying to read other app /proc/pid # entries due to MLS constraints. Just silence the denials. dontaudit appdomain appdomain:dir r_dir_perms; dontaudit appdomain appdomain:file r_file_perms; # Walk the file tree, stat any file. allow appdomain file_type:dir r_dir_perms; allow appdomain fs_type:dir r_dir_perms; allow appdomain dev_type:dir r_dir_perms; allow appdomain file_type:dir_file_class_set getattr; allow appdomain dev_type:dir_file_class_set getattr; allow appdomain fs_type:dir_file_class_set getattr; # Execute the shell or other system executables. allow appdomain shell_exec:file rx_file_perms; allow appdomain system_file:file rx_file_perms; # Read routing information. allow netdomain self:netlink_route_socket { create read write nlmsg_read }; # Tries to open /dev/alarm for writing but expects failure. dontaudit appdomain alarm_device:chr_file write; # Tries to create and use a netlink kobject uevent socket # to test for a vulnerable vold. dontaudit appdomain self:netlink_kobject_uevent_socket create; # Tries to override DAC restrictions but expects to fail. dontaudit shell self:capability dac_override; }