Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: 3e60e38a40 am: 89185f5aa8 am: 3f5bc5022b Change-Id: I0c442961eab964595ad072ec1a4308a4cc2c6888

commit: 0011fd408c89e728c9ea49c781fe1673685efa88 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Oct 07 16:35:24 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Sat Oct 07 16:35:24 2017 +0000
tree: 7523b295de98483b6e77d36828090f541c59ce71
parent: 91f41549a7f4107f463941c3ca031a291a0e7c5e [diff]
parent: 3f5bc5022b2c6796d0fdf157758c33f5fbe635ee [diff]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 30253af..951a0df 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -103,11 +103,3 @@
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
-  sysfs_type
-  -sysfs_devices_system_cpu
-  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-}:file no_rw_file_perms;
commit	0011fd408c89e728c9ea49c781fe1673685efa88	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Oct 07 16:35:24 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Sat Oct 07 16:35:24 2017 +0000
tree	7523b295de98483b6e77d36828090f541c59ce71
parent	91f41549a7f4107f463941c3ca031a291a0e7c5e [diff]
parent	3f5bc5022b2c6796d0fdf157758c33f5fbe635ee [diff]