On 08/28/2013 10:47 AM, Tai Nguyen (tainguye) wrote:
> Yes, our production device has ssh.

Ok.  In that case, you could create a "gate" program (e.g.
/system/bin/test-harness) that all test code must be invoked through
that only gets installed for testing, and label it with an entrypoint
type that transitions to an unconfined test domain.  Then test code will
run unconfined but on the production device, as the entrypoint program
won't exist, the test domain won't be reachable from the ssh/sshClient
domains on production devices.  You could also follow the example of the
su domain - look at external/sepolicy/Android.mk and su vs. su_user.te,
which switches the su policy based on whether the target build variant
is -user or not.  That causes the su domain to only be included in
-userdebug or -eng builds, not -user builds.





--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to