From c6cbeadb2147bad0107a1eb1c4a2ebaaa11f5fd0 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Mon, 7 Jan 2019 14:08:11 +0000
Subject: [PATCH] Un-revert "Audit execution of app_data_file native code."

This was originally implemented in commit
890414725f35fae61a3f16532724c8f6365599f9 and reverted in commit
fa3eb773ce45c9c1a38a579f31799ffc00b85952. This effectively reverts the
revert, with minimal changes to cope with the subsequent reversion of
commit b362474374afc402f65695252d30a008326c0eba.

Auditing is only enabled for apps targeting API <= 28.

Test: Compiles, audit messages are seen.
Bug: 121333210
Bug: 111338677
Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd
---
 private/untrusted_app_25.te | 1 +
 private/untrusted_app_27.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7c266a524..6f92ef5bb 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b8fd22eb4..be155c973 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@ bluetooth_domain(untrusted_app_27)
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
-- 
GitLab