From 96a85d12c8467c064647dd27da57628a9a0547da Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 2 Oct 2016 21:06:23 -0700
Subject: [PATCH] app: audit usage of ion ioctls

Test: builds and boots on Bullhead with no selinux audit messages.

Bug: 29795149
Bug: 30400942
Change-Id: I93295424a03488234b233d5e2f86d3bf329e53fd
---
 app.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 2ac243a61..0617e7390 100644
--- a/app.te
+++ b/app.te
@@ -239,7 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow { appdomain -isolated_app } ion_device:chr_file { write append };
+auditallow appdomain ion_device:chr_file { write append };
+# TODO audit ion ioctl usage by apps
+auditallow appdomain ion_device:chr_file ioctl;
 
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
-- 
GitLab