Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 3fbc536dfd5afbce5ef45f18d0afb3516089ed88^! / . / mediaserver.te
commit3fbc536dfd5afbce5ef45f18d0afb3516089ed88[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Mar 27 09:45:26 2014 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Thu Mar 27 09:51:18 2014 -0400
treef54f8c452034320faa4e27549e3b8b569f5bdd5d
parent9fc0d40eff46d1319f282df68376c335c3115c36 [diff] [blame]
Allow reading of radio data files passed over binder.

Addresses denials such as:
 avc:  denied  { read } for  pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

This does not allow write denials such as:
 avc:  denied  { write } for  pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

Need to understand whether write access is in fact required.

Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/mediaserver.te b/mediaserver.te
index 43783d6..cdd9772 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -40,6 +40,9 @@
 allow mediaserver apk_data_file:file { read getattr };
 allow mediaserver asec_apk_file:file { read getattr };
 
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
 # Access camera device.
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver rpmsg_device:chr_file rw_file_perms;