sepolicy/app.te - device/google/marlin - Git at Google

 # Only allow gpu ioctl commands that have been demonstrated to be necessary.
 allowxperm { appdomain -isolated_app } gpu_device:chr_file
   ioctl { gpu_ioctls unpriv_tty_ioctls };

 allow { appdomain -isolated_app } sysfs_soc:dir search;
 allow { appdomain -isolated_app } sysfs_soc:file r_file_perms;
	# Only allow gpu ioctl commands that have been demonstrated to be necessary.
	allowxperm { appdomain -isolated_app } gpu_device:chr_file
	ioctl { gpu_ioctls unpriv_tty_ioctls };

	allow { appdomain -isolated_app } sysfs_soc:dir search;
	allow { appdomain -isolated_app } sysfs_soc:file r_file_perms;