1 files changed, 4 insertions, 0 deletions

diff --git a/app.te b/app.te
index 7de624b..45225b5 100644
--- a/app.te
+++ b/app.te
@@ -222,6 +222,10 @@ selinux_check_context(appdomain)
 auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
 auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+
 ###
 ### Neverallow rules
 ###