commit 747c69f43cdcf89258a5c97d776335d9ba16bbfb
author Treehugger Robot <treehugger-gerrit@google.com> Tue Nov 15 22:40:49 2016 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Nov 15 22:40:49 2016 +0000
tree 58e3f7cbe371b049c75bfbe694449190bccf2a2f
parent c121735f42e73f4c46004ef09b85cdb8359a517a
parent e0d5c5323dcbf0a3db90bb4b8dca603918d4449b

Merge "exclude su from app auditallow"

public/app.te

diff --git a/public/app.te b/public/app.te
index a443bbc..6cb3382 100644
--- a/public/app.te
+++ b/public/app.te
@@ -239,9 +239,9 @@
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;