sepolicy/app.te


1
2
3
4
5
6

# Only allow gpu ioctl commands that have been demonstrated to be necessary.
allowxperm { appdomain -isolated_app } gpu_device:chr_file
  ioctl { gpu_ioctls unpriv_tty_ioctls };

allow { appdomain -isolated_app } sysfs_soc:dir search;
allow { appdomain -isolated_app } sysfs_soc:file r_file_perms;