app: removed unused /dev/ion write permissions

The /dev/ion driver's file operations structure does not specify a write operation. Granting write is meaningless. This audit statement has been around since Android Oreo and logs collected from dogfooders shows that no apps are attempting to open the file with write permissions. Bug: 28760354 Test: build Test: verify no "granted" messages from dogfood devices. Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb

app: removed unused /dev/ion write permissions
The /dev/ion driver's file operations structure does not specify a write operation. Granting write is meaningless. This audit statement has been around since Android Oreo and logs collected from dogfooders shows that no apps are attempting to open the file with write permissions. Bug: 28760354 Test: build Test: verify no "granted" messages from dogfood devices. Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb
c20ba5bd · Jeff Vander Stoep · 3623c2b6 · c20ba5bd
Commit c20ba5bd authored 6 years ago by Jeff Vander Stoep
--- a/public/app.te
+++ b/public/app.te
@@ -297,9 +297,7 @@ allow appdomain console_device:chr_file { read write };
 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
 get_prop({ appdomain -isolated_app }, hwservicemanager_prop);