Thanks, Steve. This may work. Tai
On 8/28/13 10:58 AM, "Stephen Smalley" <[email protected]> wrote: >On 08/28/2013 10:47 AM, Tai Nguyen (tainguye) wrote: >> Yes, our production device has ssh. > >Ok. In that case, you could create a "gate" program (e.g. >/system/bin/test-harness) that all test code must be invoked through >that only gets installed for testing, and label it with an entrypoint >type that transitions to an unconfined test domain. Then test code will >run unconfined but on the production device, as the entrypoint program >won't exist, the test domain won't be reachable from the ssh/sshClient >domains on production devices. You could also follow the example of the >su domain - look at external/sepolicy/Android.mk and su vs. su_user.te, >which switches the su policy based on whether the target build variant >is -user or not. That causes the su domain to only be included in >-userdebug or -eng builds, not -user builds. > > > > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
