cts.te

#
# Rules to allow the Android CTS to run.
# Do not enable in production policy.
#

bool android_cts false;
if (android_cts) {
# For TestDeviceSetup (RootProcessScanner).
# Reads /proc/pid/status and statm entries to check that
# no unexpected root processes are running.
# Also for android.security.cts.VoldExploitTest.
# Requires ability to read /proc/pid/cmdline of vold.
allow appdomain domain:dir r_dir_perms;
allow appdomain domain:{ file lnk_file } r_file_perms;

# Will still fail when trying to read other app /proc/pid
# entries due to MLS constraints.  Just silence the denials.
dontaudit appdomain appdomain:dir r_dir_perms;
dontaudit appdomain appdomain:file r_file_perms;

# For android.permission.cts.FileSystemPermissionTest.
# Walk the file tree, stat any file in order to check file permissions.
allow appdomain fs_type:dir r_dir_perms;
allow appdomain dev_type:dir r_dir_perms;
allow appdomain file_type:dir_file_class_set getattr;
allow appdomain dev_type:dir_file_class_set getattr;
allow appdomain fs_type:dir_file_class_set getattr;

# Tries to open /dev/alarm for writing but expects failure.
dontaudit appdomain alarm_device:chr_file write;

# For android.security.cts.VoldExploitTest.
# Tries to create and use a netlink kobject uevent socket
# to test for a vulnerable vold.
dontaudit appdomain self:netlink_kobject_uevent_socket create;

# Tries to override DAC restrictions but expects to fail.
dontaudit shell self:capability dac_override;
}