domain_deprecated: remove ion access

am: 88e4be54a6

Change-Id: I064f2becfde44f300ddf9d36802972b35c54e152

private/domain_deprecated.te

@@ -149,25 +149,6 @@ auditallow {
 } cache_file:lnk_file r_file_perms;
 ')
 
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -keystore
-  -surfaceflinger
-  -system_server
-  -tee
-  -vold
-  -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)

public/dumpstate.te

@@ -199,6 +199,9 @@ allow dumpstate proc_zoneinfo:file r_file_perms;
 # Create a service for talking back to system_server
 add_service(dumpstate, dumpstate_service)
 
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
 ###
 ### neverallow rules
 ###