Add gpu_device access to isolated_compute_app
Currently all apps except `isolated_app_all` already have this access. Since `isolated_compute_app` is a special case of `isolated_app` with relaxed security restrictions to allow hardware acceleration use cases - it is safe to extend the same access as rest of the apps(system/sepolicy/private/app.te;l=389-394), to `isolated_compute_app`.
Test: tested with latest build, gpu inference works without any permission denials.
Bug: 368056520
Change-Id: I5b512cff0d2e68efc03fdc626970b29546ed9f7b
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 12b1794..43f1ac6 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -70,7 +70,7 @@
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
+neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 5d4070d..f34850e 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -32,6 +32,12 @@
# Allow access to the toybox: b/275024392
allow isolated_compute_app toolbox_exec:file rx_file_perms;
+# Grant GPU access to isolated_compute_app as it is required for acceleration.
+allow isolated_compute_app gpu_device:chr_file rw_file_perms;
+allow isolated_compute_app gpu_device:dir r_dir_perms;
+allow isolated_compute_app sysfs_gpu:file r_file_perms;
+
+
#####
##### Neverallow
#####