The read accesses are not ideal but probably ok, but the writes to /dev/nvmap and /dev/nvhost-* allow applications to attack these devices directly. I'm not sure what the solution is, but the current behavior weakens our application confinement policy.
SDK applications need the following AppArmor policy to run on a Nexus 7:
/dev/nvmap rw, module/ nvhost/ parameters/ * r, module/ fuse/parameters /tegra* r,
/dev/nvhost-* rw,
/sys/
/sys/
The read accesses are not ideal but probably ok, but the writes to /dev/nvmap and /dev/nvhost-* allow applications to attack these devices directly. I'm not sure what the solution is, but the current behavior weakens our application confinement policy.