From 1911c27ff002880962fb04429fac950381a795de Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 7 Jan 2016 15:22:12 -0800
Subject: [PATCH] app: remove permission to execute gpu_device

Not actually needed as demonstrated by the auditallow rule.

Change-Id: Ia92c82ec237ab3490a1d51fa3371778e43e09504
---
 app.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app.te b/app.te
index 7364d2451..e2cdcc22d 100644
--- a/app.te
+++ b/app.te
@@ -123,8 +123,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
-auditallow { appdomain -isolated_app } gpu_device:chr_file execute;
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
 
 # Use the Binder.
 binder_use(appdomain)
-- 
GitLab