From 594693705f0d5768db3c3212037da5fd5d5653be Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 16 Dec 2013 08:55:24 -0500
Subject: [PATCH] Add rules to permit CTS security-related tests to run.

Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index fb1c8ed73..eb9179369 100644
--- a/app.te
+++ b/app.te
@@ -152,6 +152,30 @@ allow appdomain self:rawip_socket create_socket_perms;
 allow appdomain usb_device:chr_file { read write getattr ioctl };
 allow appdomain usbaccessory_device:chr_file { read write getattr };
 
+###
+### CTS-specific rules
+###
+
+# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+# Reads /proc/pid/cmdline of vold.
+allow appdomain domain:dir { open read search getattr };
+allow appdomain domain:{ file lnk_file } { open read getattr };
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+selinux_check_access(appdomain)
+selinux_check_context(appdomain)
+# Validate that each process is running in the correct security context.
+allow appdomain domain:process getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -204,7 +228,6 @@ neverallow { appdomain -unconfineddomain }
         netlink_tcpdiag_socket
         netlink_nflog_socket
         netlink_xfrm_socket
-        netlink_selinux_socket
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
@@ -313,8 +336,6 @@ neverallow { appdomain -unconfineddomain }
 # Write to various pseudo file systems.
 neverallow { appdomain -nfc -unconfineddomain }
     sysfs:dir_file_class_set write;
-neverallow { appdomain -system_app -unconfineddomain }
-    selinuxfs:dir_file_class_set write;
 neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;
 
-- 
GitLab