diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-01-07 15:22:12 -0800 |
---|---|---|
committer | Jeffrey Vander Stoep <jeffv@google.com> | 2016-01-07 23:30:18 +0000 |
commit | 1911c27ff002880962fb04429fac950381a795de (patch) | |
tree | 5f40c46e69441e384cb5b8d581c0272eb7f41f50 | |
parent | dc37ea73932f8d1c401695366284b4e8869e2127 (diff) | |
download | sepolicy-1911c27ff002880962fb04429fac950381a795de.tar.gz |
app: remove permission to execute gpu_device
Not actually needed as demonstrated by the auditallow rule.
Change-Id: Ia92c82ec237ab3490a1d51fa3371778e43e09504
-rw-r--r-- | app.te | 3 |
1 files changed, 1 insertions, 2 deletions
@@ -123,8 +123,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. -allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute }; -auditallow { appdomain -isolated_app } gpu_device:chr_file execute; +allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; # Use the Binder. binder_use(appdomain) |