From 7141f1055efae6a9060c5ab9c29a8f8a476f32a6 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 15 Apr 2016 09:18:55 -0700
Subject: [PATCH] do not enforce neverallow on CAP_SYS_RAWIO on debug builds

Bug: 27549740
Change-Id: I3f646984fbd9cbcb58636d158a9ac0afc5a930ce
---
 domain.te | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 9b2024b03..a66dd7eee 100644
--- a/domain.te
+++ b/domain.te
@@ -165,8 +165,19 @@ neverallow {
   -vold
 } self:capability mknod;
 
-# Limit raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -uncrypt -tee } self:capability sys_rawio;
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+  domain
+  userdebug_or_eng(`-domain')
+  -kernel
+  -init
+  -recovery
+  -ueventd
+  -watchdogd
+  -healthd
+  -uncrypt
+  -tee
+} self:capability sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow * self:memprotect mmap_zero;
-- 
GitLab