place dex2oat auditallow statements in userdebug_or_eng blocks
By convention, auditallow statements are always placed in
userdebug_or_eng() blocks. This ensures that we don't inadvertently ship
audit rules on production devices, which could result in device logspam,
and in pathological situations, impact device performance (generating
audit messages is much more expensive than a standard SELinux check).
Bug: 117606664
Test: policy compiles.
Change-Id: I681ed73c83683e8fdbef9cf662488115f6e7a490
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2db9c4b..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -53,5 +53,4 @@
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c828f64..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -34,5 +34,4 @@
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')