From 9de62d6ffed14a6b0abed63d2a915cdae87a7fc4 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@google.com>
Date: Thu, 11 Sep 2014 14:33:12 -0400
Subject: [PATCH] isolated_app: Do not allow access to the gpu_device.

Bug: 17471434

(cherry picked from commit 7f4a8a7291ab17385c86fe768b7e0912068ed7d5)

Change-Id: I7d70fd4d8b8ecdd42024345d74fa36233fb76fb5
---
 app.te          | 2 +-
 isolated_app.te | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 51fbe439f..72fbc03f6 100644
--- a/app.te
+++ b/app.te
@@ -84,7 +84,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
 
 # Use the Binder.
 binder_use(appdomain)
diff --git a/isolated_app.te b/isolated_app.te
index a156838bb..a035901b7 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,6 +13,9 @@ type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
 
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:file { rw_file_perms execute };
+
 # read and write access to app_data_file is already
 # granted via app.te. Allow execute.
 # Needed to allow dlopen() from Chrome renderer processes.
-- 
GitLab