From f1b5c665adbb666f7534359f7e818b2c9a6e6dc6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 9 Apr 2015 14:31:16 -0700
Subject: [PATCH] isolated_app: Do not allow access to the gpu_device.

Bug: 17471434
Bug: 18609318
Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc
---
 app.te          | 2 +-
 isolated_app.te | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index ffaae2386..ba39ff4ff 100644
--- a/app.te
+++ b/app.te
@@ -106,7 +106,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
 
 # Use the Binder.
 binder_use(appdomain)
diff --git a/isolated_app.te b/isolated_app.te
index c3685279f..1cede96cb 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -35,3 +35,6 @@ neverallow isolated_app {
     -activity_service
     -display_service
 }:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };