diff --git a/autotests/folding/test.cil.fold b/autotests/folding/test.cil.fold
--- a/autotests/folding/test.cil.fold
+++ b/autotests/folding/test.cil.fold
@@ -48,7 +48,7 @@
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
@@ -58,7 +58,7 @@
(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
-
+
(allow unconfined.process self (file (read write)))
(allow process httpd.object (file (read write)))
@@ -142,3 +142,12 @@
(genfscon rootfs / rootfs_context)
(genfscon selinuxfs / selinuxfs_context)
)
+
+; ioctl & call
+(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
+(ioctl read
+ find connectto) ; kind or permission?
+(ioctl read find connectto) ; ioctl permission
+(ioctl read )
+(call ioctl read find connectto) ; statement or permission?
+( call ) ; call permission
diff --git a/autotests/folding/test.fc.fold b/autotests/folding/test.fc.fold
--- a/autotests/folding/test.fc.fold
+++ b/autotests/folding/test.fc.fold
@@ -56,6 +56,14 @@
/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')
+# Android file contexts
+
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+* u:object_r:default_android_hwservice:s0
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+
# Tests
# Variables
diff --git a/autotests/html/test.cil.html b/autotests/html/test.cil.html
--- a/autotests/html/test.cil.html
+++ b/autotests/html/test.cil.html
@@ -8,7 +8,7 @@
; Tests
-(policycap open_perms) ; Policy config. statement
+(policycap open_perms) ; Policy config. statement
(mls true)
(handleunknown allow)
@@ -49,12 +49,12 @@
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
-(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
+(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
@@ -64,16 +64,16 @@
(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
-
+
(allow unconfined.process self (file (read write)))
(allow process httpd.object (file (read write)))
; Paths
-"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
-"/pa\12th.*a+b?"
-/usr/hi\"esc\032esc\*3es{2,2}ds
-"/data/(open "
-"/data/[open "
+"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
+"/pa\12th.*a+b?"
+/usr/hi\"esc\032esc\*3es{2,2}ds
+"/data/(open "
+"/data/[open "
; Some rules
@@ -90,14 +90,14 @@
(allowx type_3 type_4 ioctl_nodebug)
(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
-(class property_service (set))
+(class property_service (set))
(block av_rules
(type type_1)
(type type_2)
(typeattribute all_types)
(typeattributeset all_types ((all)))
- (neverallow type_2 all_types (property_service (set)))
+ (neverallow type_2 all_types (property_service (set)))
)
(macro binder_call ((type ARG1) (type ARG2))
(allow ARG1 ARG2 (binder (transfer call)))
@@ -148,4 +148,13 @@
(genfscon rootfs / rootfs_context)
(genfscon selinuxfs / selinuxfs_context)
)
+
+; ioctl & call
+(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
+(ioctl read
+ find connectto) ; kind or permission?
+(ioctl read find connectto) ; ioctl permission
+(ioctl read )
+(call ioctl read find connectto) ; statement or permission?
+( call ) ; call permission