Merge "Revert "isolated_app: Do not allow access to the gpu_device.""

9dc5956f · Nick Kralevich · Gerrit Code Review · c21e9cc1 · 2ada7f3c · 9dc5956f
Commit 9dc5956f authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/app.te
+++ b/app.te
@@ -91,7 +91,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
 # Use the Binder.
 binder_use(appdomain)

--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr };
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:file { rw_file_perms execute };
 allow isolated_app radio_service:service_manager find;
 allow isolated_app surfaceflinger_service:service_manager find;
 allow isolated_app system_server_service:service_manager find;