move cgroup auditallow into userdebug_or_eng block

By convention, auditallow statements are typically put into userdebug_or_eng blocks, to ensure we don't accidentally ship unnecessary audit rules. Let's do the same here. Test: policy compiles. Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e

move cgroup auditallow into userdebug_or_eng block
By convention, auditallow statements are typically put into userdebug_or_eng blocks, to ensure we don't accidentally ship unnecessary audit rules. Let's do the same here. Test: policy compiles. Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e
186466e9 · Nick Kralevich · 25b4eb21 · 186466e9
Commit 186466e9 authored 6 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -277,15 +277,19 @@ allow {
  -untrusted_app_all
  -priv_app
 } cgroup:file w_file_perms;
-auditallow appdomain cgroup:file w_file_perms;
+userdebug_or_eng(`
+  auditallow appdomain cgroup:file w_file_perms;
+')
 # TODO(b/110043362): Clean up cgroup access from non-system domains.
 allow { domain -coredomain } cgroup:file w_file_perms;
-auditallow {
+userdebug_or_eng(`
-  domain
+  auditallow {
-  -coredomain
+    domain
-  -vendor_init
+    -coredomain
-} cgroup:file w_file_perms;
+    -vendor_init
+  } cgroup:file w_file_perms;
+')
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker