Restrict isolated_app's /sys access
isolated_app is strictly limited on the files in /sys which can be
accessed.
Test: policy compiles.
Change-Id: Ibe6702322cd069d773416789b06b123493055a21
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index ee24d7f..24869b9 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -2,7 +2,7 @@
allow { domain -appdomain } diag_device:chr_file rw_file_perms;
')
-r_dir_file(domain, sysfs_socinfo);
-r_dir_file(domain, sysfs_thermal);
-r_dir_file(domain, sysfs_power_management);
+r_dir_file({ domain -isolated_app }, sysfs_socinfo);
+r_dir_file({ domain -isolated_app }, sysfs_thermal);
+r_dir_file({ domain -isolated_app }, sysfs_power_management);
r_dir_file(domain, sysfs_devices_system_cpu);
