Merge "Un-revert "Audit execution of app_data_file native code.""

34bd20fb · Treehugger Robot · Gerrit Code Review · f1f1b4f0 · c6cbeadb · 34bd20fb
Commit 34bd20fb authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')

 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.

--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@ bluetooth_domain(untrusted_app_27)
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')

 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.