diff options
authorRuslan Trofymenko2018-11-09 19:43:31 -0600
committerPraneeth Bajjuri2018-11-09 13:54:27 -0600
commit275752669269b517bc91f0f76362323ae7190a9b (patch)
parent6390cf87697ef1c282cacf69f31d9f6a20c93377 (diff)
app: removed unused /dev/ion write permissionsd-oreo-mr1-core-release
This patch is based on: Jeffrey Vander Stoep: system/sepolicy: app: removed unused /dev/ion write permissions https://android-review.googlesource.com/c/platform/system/sepolicy/+/673492 Direct backport without additional commits is impossible. The target policy has been moved from private/app.te to public/app.te. The /dev/ion driver's file operations structure does not specify a write operation. Granting write is meaningless. This audit statement has been around since Android Oreo and logs collected from dogfooders shows that no apps are attempting to open the file with write permissions. Test: build Test: verify no "granted" messages from dogfood devices. Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
1 files changed, 0 insertions, 2 deletions
diff --git a/private/app.te b/private/app.te
index 9251ed9c..1fd81e21 100644
--- a/private/app.te
+++ b/private/app.te
@@ -287,8 +287,6 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
287 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 287 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
288 288
289allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 289allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
290# TODO is write really necessary ?
291auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
292 290
293# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx) 291# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
294get_prop({ appdomain -isolated_app }, hwservicemanager_prop); 292get_prop({ appdomain -isolated_app }, hwservicemanager_prop);