app: removed unused /dev/ion write permissions The /dev/ion driver's file operations structure does not specify a write operation. Granting write is meaningless. This audit statement has been around since Android Oreo and logs collected from dogfooders shows that no apps are attempting to open the file with write permissions. Bug: 28760354 Test: build Test: verify no "granted" messages from dogfood devices. Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb

commit: c20ba5bd68b07e08643525728a05c5cdf9eef781 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Thu Apr 26 11:16:53 2018 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Thu Apr 26 11:16:53 2018 -0700
tree: ea8dd1d273205a8a480b17faa06d3c76f3dc9299
parent: 3623c2b6c0e7cafa56bf1f579845f5b45e683436 [diff]
diff --git a/public/app.te b/public/app.te
index b5e77c1..8e34040 100644
--- a/public/app.te
+++ b/public/app.te

@@ -297,9 +297,7 @@
 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
 
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
commit	c20ba5bd68b07e08643525728a05c5cdf9eef781	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Thu Apr 26 11:16:53 2018 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Thu Apr 26 11:16:53 2018 -0700
tree	ea8dd1d273205a8a480b17faa06d3c76f3dc9299
parent	3623c2b6c0e7cafa56bf1f579845f5b45e683436 [diff]