Temporarily add auditing of execmod by apps.

This is so we can get data on which apps are actually doing this. Bug: 111544476 Test: Device boots. No audits seen on test device. Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea

Temporarily add auditing of execmod by apps.
This is so we can get data on which apps are actually doing this. Bug: 111544476 Test: Device boots. No audits seen on test device. Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea
708aa90d · Alan Stokes · 13e60ed1 · 708aa90d
Commit 708aa90d authored 6 years ago by Alan Stokes
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -151,6 +151,10 @@ userdebug_or_eng(`
  }:{ dir file lnk_file } { getattr open read };
 ')

+# Temporary auditing to get data on what apps use execmod.
+# TODO(b/111544476) Remove this and deny the permission if feasible.
+auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
+
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this