isolated_app: Do not allow access to the gpu_device.

Bug: 17471434 Bug: 18609318 Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc

isolated_app: Do not allow access to the gpu_device.
f1b5c665 · Nick Kralevich · 84f580ac · f1b5c665 · f1b5c665
Commit f1b5c665 authored 9 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -106,7 +106,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;

 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };

 # Use the Binder.
 binder_use(appdomain)

--- a/isolated_app.te
+++ b/isolated_app.te
@@ -35,3 +35,6 @@ neverallow isolated_app {
    -activity_service
    -display_service
 }:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };