From 71fd337f040216cf24a09765589dd9a4dfbb4d4d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 8 Dec 2015 09:05:12 -0800
Subject: [PATCH] Change /dev/ion from read-only to read-write

Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
---
 adbd.te  | 2 +-
 shell.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/adbd.te b/adbd.te
index 07b64ac86..92e7c21e5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -62,7 +62,7 @@ binder_use(adbd)
 binder_call(adbd, surfaceflinger)
 # b/13188914
 allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file r_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
 r_dir_file(adbd, system_file)
 
 # Read /data/misc/adb/adb_keys.
diff --git a/shell.te b/shell.te
index 6eb7e5626..4b6acbc25 100644
--- a/shell.te
+++ b/shell.te
@@ -125,4 +125,4 @@ allow shell self:process ptrace;
 neverallow shell file_type:file link;
 
 # Allow access to ion memory allocation device.
-allow shell ion_device:chr_file { open read };
+allow shell ion_device:chr_file rw_file_perms;
-- 
GitLab