From c20ba5bd68b07e08643525728a05c5cdf9eef781 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 26 Apr 2018 11:16:53 -0700
Subject: [PATCH] app: removed unused /dev/ion write permissions

The /dev/ion driver's file operations structure does not specify a
write operation. Granting write is meaningless. This audit statement
has been around since Android Oreo and logs collected from dogfooders
shows that no apps are attempting to open the file with write
permissions.

Bug: 28760354
Test: build
Test: verify no "granted" messages from dogfood devices.
Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb
---
 public/app.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/public/app.te b/public/app.te
index b5e77c15c..8e34040ad 100644
--- a/public/app.te
+++ b/public/app.te
@@ -297,9 +297,7 @@ allow appdomain console_device:chr_file { read write };
 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
 
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-- 
GitLab