Skip to content
Snippets Groups Projects
Commit 59469370 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Add rules to permit CTS security-related tests to run. 


Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent ae2a35c6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 24 additions and 3 deletions
app.te
+ 24
3
View file @ 59469370
...@@ -152,6 +152,30 @@ allow appdomain self:rawip_socket create_socket_perms; ...@@ -152,6 +152,30 @@ allow appdomain self:rawip_socket create_socket_perms;
allow appdomain usb_device:chr_file { read write getattr ioctl }; allow appdomain usb_device:chr_file { read write getattr ioctl };
allow appdomain usbaccessory_device:chr_file { read write getattr }; allow appdomain usbaccessory_device:chr_file { read write getattr };
###
### CTS-specific rules
###
# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
# Reads /proc/pid/status and statm entries to check that
# no unexpected root processes are running.
# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
# Reads /proc/pid/cmdline of vold.
allow appdomain domain:dir { open read search getattr };
allow appdomain domain:{ file lnk_file } { open read getattr };
# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
# testRunAsHasCorrectCapabilities
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
# Check SELinux policy and contexts.
selinux_check_access(appdomain)
selinux_check_context(appdomain)
# Validate that each process is running in the correct security context.
allow appdomain domain:process getattr;
### ###
### Neverallow rules ### Neverallow rules
### ###
...@@ -204,7 +228,6 @@ neverallow { appdomain -unconfineddomain } ...@@ -204,7 +228,6 @@ neverallow { appdomain -unconfineddomain }
netlink_tcpdiag_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_nflog_socket
netlink_xfrm_socket netlink_xfrm_socket
netlink_selinux_socket
netlink_audit_socket netlink_audit_socket
netlink_ip6fw_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_dnrt_socket
...@@ -313,8 +336,6 @@ neverallow { appdomain -unconfineddomain } ...@@ -313,8 +336,6 @@ neverallow { appdomain -unconfineddomain }
# Write to various pseudo file systems. # Write to various pseudo file systems.
neverallow { appdomain -nfc -unconfineddomain } neverallow { appdomain -nfc -unconfineddomain }
sysfs:dir_file_class_set write; sysfs:dir_file_class_set write;
neverallow { appdomain -system_app -unconfineddomain }
selinuxfs:dir_file_class_set write;
neverallow { appdomain -unconfineddomain } neverallow { appdomain -unconfineddomain }
proc:dir_file_class_set write; proc:dir_file_class_set write;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment