1 # 2 # Rules to allow the Android CTS to run. 3 # Do not enable in production policy. 4 # 5 6 bool android_cts false; 7 if (android_cts) { 8 # Reads /proc/pid entries to check that no unexpected root 9 # processes are running. 10 allow appdomain domain:dir r_dir_perms; 11 allow appdomain domain:{ file lnk_file } r_file_perms; 12 13 # Will still fail when trying to read other app /proc/pid 14 # entries due to MLS constraints. Just silence the denials. 15 dontaudit appdomain appdomain:dir r_dir_perms; 16 dontaudit appdomain appdomain:file r_file_perms; 17 18 # Walk the file tree, stat any file. 19 allow appdomain file_type:dir r_dir_perms; 20 allow appdomain fs_type:dir r_dir_perms; 21 allow appdomain dev_type:dir r_dir_perms; 22 allow appdomain file_type:dir_file_class_set getattr; 23 allow appdomain dev_type:dir_file_class_set getattr; 24 allow appdomain fs_type:dir_file_class_set getattr; 25 26 # Execute the shell or other system executables. 27 allow appdomain shell_exec:file rx_file_perms; 28 allow appdomain system_file:file rx_file_perms; 29 30 # Read routing information. 31 allow netdomain self:netlink_route_socket { create read write nlmsg_read }; 32 33 # Tries to open /dev/alarm for writing but expects failure. 34 dontaudit appdomain alarm_device:chr_file write; 35 36 # Tries to create and use a netlink kobject uevent socket 37 # to test for a vulnerable vold. 38 dontaudit appdomain self:netlink_kobject_uevent_socket create; 39 40 # Tries to override DAC restrictions but expects to fail. 41 dontaudit shell self:capability dac_override; 42 } 43