From 186466e9553a48cf66eeec7ec19b3dfdc9a7273d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 12 Oct 2018 13:25:12 -0700
Subject: [PATCH] move cgroup auditallow into userdebug_or_eng block

By convention, auditallow statements are typically put into
userdebug_or_eng blocks, to ensure we don't accidentally ship
unnecessary audit rules. Let's do the same here.

Test: policy compiles.
Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e
---
 public/domain.te | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 0f17fab13..c105a4714 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -277,15 +277,19 @@ allow {
   -untrusted_app_all
   -priv_app
 } cgroup:file w_file_perms;
-auditallow appdomain cgroup:file w_file_perms;
+userdebug_or_eng(`
+  auditallow appdomain cgroup:file w_file_perms;
+')
 
 # TODO(b/110043362): Clean up cgroup access from non-system domains.
 allow { domain -coredomain } cgroup:file w_file_perms;
-auditallow {
-  domain
-  -coredomain
-  -vendor_init
-} cgroup:file w_file_perms;
+userdebug_or_eng(`
+  auditallow {
+    domain
+    -coredomain
+    -vendor_init
+  } cgroup:file w_file_perms;
+')
 
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
-- 
GitLab