From 2ada7f3c108f0d3a9d73619357174af2d75b77cf Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Jan 2015 16:20:42 -0800
Subject: [PATCH] Revert "isolated_app: Do not allow access to the gpu_device."

Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.

This reverts commit 9de62d6ffed14a6b0abed63d2a915cdae87a7fc4.

Bug: 17471434
Bug: 18609318
Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470
---
 app.te          | 2 +-
 isolated_app.te | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/app.te b/app.te
index cfb13b95e..097224472 100644
--- a/app.te
+++ b/app.te
@@ -91,7 +91,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
 
 # Use the Binder.
 binder_use(appdomain)
diff --git a/isolated_app.te b/isolated_app.te
index 627d0a0e1..f6183aa67 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr };
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:file { rw_file_perms execute };
-
 allow isolated_app radio_service:service_manager find;
 allow isolated_app surfaceflinger_service:service_manager find;
 allow isolated_app system_server_service:service_manager find;
-- 
GitLab