Merge "isolated_app: Do not allow access to the gpu_device."

commit: 9fc35a752c6b4068afeaf9c7e35d2965908d2a62 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Apr 10 14:35:39 2015 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Apr 10 14:35:40 2015 +0000
tree: 3dbf4c5ea576d70de9a53e10e7e8b0237e7492a2
parent: 2234f9ff579f9e928d868372f5bd7499e2da7bd1 [diff]
parent: f1b5c665adbb666f7534359f7e818b2c9a6e6dc6 [diff]
diff --git a/app.te b/app.te
index ffaae23..ba39ff4 100644
--- a/app.te
+++ b/app.te

@@ -106,7 +106,7 @@
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
 
 # Use the Binder.
 binder_use(appdomain)

diff --git a/isolated_app.te b/isolated_app.te
index c368527..1cede96 100644
--- a/isolated_app.te
+++ b/isolated_app.te

@@ -35,3 +35,6 @@
     -activity_service
     -display_service
 }:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
commit	9fc35a752c6b4068afeaf9c7e35d2965908d2a62	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Apr 10 14:35:39 2015 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Apr 10 14:35:40 2015 +0000
tree	3dbf4c5ea576d70de9a53e10e7e8b0237e7492a2
parent	2234f9ff579f9e928d868372f5bd7499e2da7bd1 [diff]
parent	f1b5c665adbb666f7534359f7e818b2c9a6e6dc6 [diff]