am 2d1650f4: allow system_server to set kernel scheduling priority
* commit '2d1650f4075db4f4f458de4c1a4cb5869c44b936':
allow system_server to set kernel scheduling priority
diff --git a/app.te b/app.te
index b9027fe..e2eac0f 100644
--- a/app.te
+++ b/app.te
@@ -90,7 +90,7 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
# Use the Binder.
binder_use(appdomain)
diff --git a/isolated_app.te b/isolated_app.te
index a156838..a035901 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,6 +13,9 @@
app_domain(isolated_app)
net_domain(isolated_app)
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:file { rw_file_perms execute };
+
# read and write access to app_data_file is already
# granted via app.te. Allow execute.
# Needed to allow dlopen() from Chrome renderer processes.
diff --git a/zygote.te b/zygote.te
index 5ee4eb8..4c6276c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,9 +21,6 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;