From 10a2ac24f2f280bbdbc0fe27fb3d9e9770c4442a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 4 Apr 2013 11:57:44 -0400
Subject: [PATCH] Document the relevant tests associated with specific rules.

Change-Id: I09b4e33b1c9ea201a96d2f07cb74bdb804b5aad2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 cts.te | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/cts.te b/cts.te
index 8f21ddac6..1963e0754 100644
--- a/cts.te
+++ b/cts.te
@@ -5,8 +5,11 @@
 
 bool android_cts false;
 if (android_cts) {
-# Reads /proc/pid entries to check that no unexpected root
-# processes are running.
+# For TestDeviceSetup (RootProcessScanner).
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for android.security.cts.VoldExploitTest.
+# Requires ability to read /proc/pid/cmdline of vold.
 allow appdomain domain:dir r_dir_perms;
 allow appdomain domain:{ file lnk_file } r_file_perms;
 
@@ -15,7 +18,8 @@ allow appdomain domain:{ file lnk_file } r_file_perms;
 dontaudit appdomain appdomain:dir r_dir_perms;
 dontaudit appdomain appdomain:file r_file_perms;
 
-# Walk the file tree, stat any file.
+# For android.permission.cts.FileSystemPermissionTest.
+# Walk the file tree, stat any file in order to check file permissions.
 allow appdomain fs_type:dir r_dir_perms;
 allow appdomain dev_type:dir r_dir_perms;
 allow appdomain file_type:dir_file_class_set getattr;
@@ -25,6 +29,7 @@ allow appdomain fs_type:dir_file_class_set getattr;
 # Tries to open /dev/alarm for writing but expects failure.
 dontaudit appdomain alarm_device:chr_file write;
 
+# For android.security.cts.VoldExploitTest.
 # Tries to create and use a netlink kobject uevent socket
 # to test for a vulnerable vold.
 dontaudit appdomain self:netlink_kobject_uevent_socket create;
-- 
GitLab