aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRuslan Trofymenko2018-11-09 19:43:31 -0600
committerPraneeth Bajjuri2018-11-09 13:54:27 -0600
commit275752669269b517bc91f0f76362323ae7190a9b (patch)
tree91206d31fb6becd692b5ffadd9d55e3cb74833f5
parent6390cf87697ef1c282cacf69f31d9f6a20c93377 (diff)
downloadsystem-sepolicy-d-oreo-mr1-core-release.tar.gz
system-sepolicy-d-oreo-mr1-core-release.tar.xz
system-sepolicy-d-oreo-mr1-core-release.zip
app: removed unused /dev/ion write permissionsd-oreo-mr1-core-release
This patch is based on: Jeffrey Vander Stoep: system/sepolicy: app: removed unused /dev/ion write permissions https://android-review.googlesource.com/c/platform/system/sepolicy/+/673492 Direct backport without additional commits is impossible. The target policy has been moved from private/app.te to public/app.te. The /dev/ion driver's file operations structure does not specify a write operation. Granting write is meaningless. This audit statement has been around since Android Oreo and logs collected from dogfooders shows that no apps are attempting to open the file with write permissions. Test: build Test: verify no "granted" messages from dogfood devices. Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
-rw-r--r--private/app.te2
1 files changed, 0 insertions, 2 deletions
diff --git a/private/app.te b/private/app.te
index 9251ed9c..1fd81e21 100644
--- a/private/app.te
+++ b/private/app.te
@@ -287,8 +287,6 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
287 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 287 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
288 288
289allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; 289allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
290# TODO is write really necessary ?
291auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
292 290
293# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx) 291# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
294get_prop({ appdomain -isolated_app }, hwservicemanager_prop); 292get_prop({ appdomain -isolated_app }, hwservicemanager_prop);