tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

isolated_app: Do not allow access to the gpu_device.

Browse source 
Bug: 17471434
Bug: 18609318
Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc
This commit is contained in:
Nick Kralevich 2015-04-09 14:31:16 -07:00
parent 84f580ac9e
commit f1b5c665ad
2 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app.te
View file

@ -106,7 +106,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote. # Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI. # They need that to render the standard UI.
allow appdomain gpu_device:chr_file { rw_file_perms execute }; allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
# Use the Binder. # Use the Binder.
binder_use(appdomain) binder_use(appdomain)

3
isolated_app.te
View file

@ -35,3 +35,6 @@ neverallow isolated_app {
-activity_service -activity_service
-display_service -display_service
}:service_manager find; }:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };