From cfe1baea254020938b60fea318464a360b6c6500 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Nov 2018 10:45:56 -0800
Subject: [PATCH] place dex2oat auditallow statements in userdebug_or_eng
 blocks

By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).

Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
---
 private/untrusted_app_25.te | 3 +--
 private/untrusted_app_27.te | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2db9c4b1a..7c266a524 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -53,5 +53,4 @@ allow untrusted_app_25 app_data_file:file execute_no_trans;
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c828f6486..b8fd22eb4 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -34,5 +34,4 @@ allow untrusted_app_27 app_data_file:file execute_no_trans;
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
-- 
GitLab