3 files changed, 21 insertions, 5 deletions

diff --git a/services/vr/hardware_composer/vr_composer.cpp b/services/vr/hardware_composer/vr_composer.cpp
index c15f8fd8d2..c45fbf4ea6 100644
--- a/services/vr/hardware_composer/vr_composer.cpp
+++ b/services/vr/hardware_composer/vr_composer.cpp
@@ -1,7 +1,25 @@
 #include "vr_composer.h"
 
+#include <binder/IPCThreadState.h>
+#include <binder/PermissionCache.h>
+
 namespace android {
 namespace dvr {
+namespace {
+
+bool CheckPermission() {
+  const android::IPCThreadState* ipc = android::IPCThreadState::self();
+  const pid_t pid = ipc->getCallingPid();
+  const uid_t uid = ipc->getCallingUid();
+  const bool permission = PermissionCache::checkPermission(
+      String16("android.permission.RESTRICTED_VR_ACCESS"), pid, uid);
+  if (!permission)
+    ALOGE("permission denied to pid=%d uid=%u", pid, uid);
+
+  return permission;
+}
+
+}  // namespace
 
 VrComposer::VrComposer() {}
 
@@ -11,6 +29,9 @@ binder::Status VrComposer::registerObserver(
     const sp<IVrComposerCallback>& callback) {
   std::lock_guard<std::mutex> guard(mutex_);
 
+  if (!CheckPermission())
+    return binder::Status::fromStatusT(PERMISSION_DENIED);
+
   if (callback_.get()) {
     ALOGE("Failed to register callback, already registered");
     return binder::Status::fromStatusT(ALREADY_EXISTS);
diff --git a/services/vr/virtual_touchpad/Android.bp b/services/vr/virtual_touchpad/Android.bp
index c8bc884577..3d5dfb271a 100644
--- a/services/vr/virtual_touchpad/Android.bp
+++ b/services/vr/virtual_touchpad/Android.bp
@@ -80,7 +80,6 @@ cc_binary {
     cppflags: ["-std=c++11"],
     cflags: [
         "-DLOG_TAG=\"VrVirtualTouchpad\"",
-        "-DSELINUX_ACCESS_CONTROL",
     ],
     host_ldlibs: ["-llog"],
     name: "virtual_touchpad",
diff --git a/services/vr/virtual_touchpad/VirtualTouchpadService.cpp b/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
index 191bcfb96e..81edd32875 100644
--- a/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
+++ b/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
@@ -122,9 +122,6 @@ bool VirtualTouchpadService::CheckPermissions() {
 bool VirtualTouchpadService::CheckTouchPermission(pid_t* out_pid) {
   const android::IPCThreadState* ipc = android::IPCThreadState::self();
   *out_pid = ipc->getCallingPid();
-#ifdef SELINUX_ACCESS_CONTROL
-  return true;
-#else
   const uid_t uid = ipc->getCallingUid();
   const bool permission = PermissionCache::checkPermission(kTouchPermission, *out_pid, uid);
   if (!permission) {
@@ -132,7 +129,6 @@ bool VirtualTouchpadService::CheckTouchPermission(pid_t* out_pid) {
           static_cast<long>(uid));
   }
   return permission;
-#endif
 }
 
 }  // namespace dvr