From 708aa90dd210acd9ad75a5b8ca65fcba6fb48c5c Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Thu, 19 Jul 2018 17:42:21 +0100
Subject: [PATCH] Temporarily add auditing of execmod by apps.

This is so we can get data on which apps are actually doing this.

Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea
---
 private/untrusted_app_all.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index c9bf65fa6..6e09c8cc6 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -151,6 +151,10 @@ userdebug_or_eng(`
   }:{ dir file lnk_file } { getattr open read };
 ')
 
+# Temporary auditing to get data on what apps use execmod.
+# TODO(b/111544476) Remove this and deny the permission if feasible.
+auditallow untrusted_app_all { apk_data_file app_data_file asec_public_file }:file execmod;
+
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this