Merge "isolated_app: Do not allow access to the gpu_device."
This commit is contained in:
Nick Kralevich
Gerrit Code Review
commit
9fc35a752c
2 changed files with 4 additions and 1 deletions
2
app.te
2
app.te
|
|
@ -106,7 +106,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
|
|||
|
||||
# Grant GPU access to all processes started by Zygote.
|
||||
# They need that to render the standard UI.
|
||||
allow appdomain gpu_device:chr_file { rw_file_perms execute };
|
||||
allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
|
||||
|
||||
# Use the Binder.
|
||||
binder_use(appdomain)
|
||||
|
|
|
|||
|
|
@ -35,3 +35,6 @@ neverallow isolated_app {
|
|||
-activity_service
|
||||
-display_service
|
||||
}:service_manager find;
|
||||
|
||||
# Isolated apps shouldn't be able to access the driver directly.
|
||||
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
||||
|
|
|
|||
Loading…
Reference in a new issue