Merge "app: removed unused /dev/ion write permissions"

commit: c58f3de7e5512e82fa1a0011b36d8ce3d5a9b620 [log] [tgz]
author: android-build-prod (mdb) <android-build-team-robot@google.com> Thu Apr 26 21:18:46 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Apr 26 21:18:46 2018 +0000
tree: 126a9c773fd59accc9f2f4788a28df9abdf57a9a
parent: aa2185bba66510d9226d9c609aa180c4385baefa [diff]
parent: c20ba5bd68b07e08643525728a05c5cdf9eef781 [diff]
diff --git a/public/app.te b/public/app.te
index b5e77c1..8e34040 100644
--- a/public/app.te
+++ b/public/app.te

@@ -297,9 +297,7 @@
 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
 
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
commit	c58f3de7e5512e82fa1a0011b36d8ce3d5a9b620	[log] [tgz]
author	android-build-prod (mdb) <android-build-team-robot@google.com>	Thu Apr 26 21:18:46 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Apr 26 21:18:46 2018 +0000
tree	126a9c773fd59accc9f2f4788a28df9abdf57a9a
parent	aa2185bba66510d9226d9c609aa180c4385baefa [diff]
parent	c20ba5bd68b07e08643525728a05c5cdf9eef781 [diff]