isolated_app: Do not allow access to the gpu_device.

Bug: 17471434 Change-Id: I6fd1079be29a454f46ab84f0c43fcf816e679c98
2014-09-11 14:33:12 -04:00 · 2014-09-11 14:33:12 -04:00 · 7f4a8a7291
commit 7f4a8a7291
parent 72acd6bbbe
2 changed files with 4 additions and 1 deletions
--- a/app.te
+++ b/app.te
@ -84,7 +84,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;

 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };

 # Use the Binder.
 binder_use(appdomain)
--- a/isolated_app.te
+++ b/isolated_app.te
@ -13,6 +13,9 @@ type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)

+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:file { rw_file_perms execute };
+
 # read and write access to app_data_file is already
 # granted via app.te. Allow execute.
 # Needed to allow dlopen() from Chrome renderer processes.