Merge "Revert "Ensure /sys restrictions for isolated_apps""

commit: 3e60e38a40b81a851589635a75455d7d093f6455 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Oct 07 16:05:25 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Oct 07 16:05:25 2017 +0000
tree: 27770429af7426c29e32406f5c27efee4b5a3887
parent: eb1ae18836a8fa48bee4837959ca1b3b6320b71e [diff]
parent: ae48ecbde9e9e0cc69d5d89f895d96e08ab813a4 [diff]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 30253af..951a0df 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -103,11 +103,3 @@
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
-  sysfs_type
-  -sysfs_devices_system_cpu
-  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-}:file no_rw_file_perms;
commit	3e60e38a40b81a851589635a75455d7d093f6455	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Oct 07 16:05:25 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Sat Oct 07 16:05:25 2017 +0000
tree	27770429af7426c29e32406f5c27efee4b5a3887
parent	eb1ae18836a8fa48bee4837959ca1b3b6320b71e [diff]
parent	ae48ecbde9e9e0cc69d5d89f895d96e08ab813a4 [diff]