Merge "exclude su from app auditallow"

747c69f4 · Treehugger Robot · Gerrit Code Review · c121735f · e0d5c532 · 747c69f4
Commit 747c69f4 authored 8 years ago by Treehugger Robot Committed by Gerrit Code Review 8 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -239,9 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }

 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;

 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;