Suppress mediaprover access to certain cache dirs

avc: denied { getattr } for comm="sAsyncHandlerTh" path="/data/cache/recovery" dev="sda13" ino=7086082 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir avc: denied { getattr } for path="/data/cache/backup" scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:cache_private_backup_file:s0 tclass=dir Bug: 63038506 Bug: 35197529 Test: build police Change-Id: I51624c255e622bf712d41ca1bbf190ec3e4fefae (cherry picked from commit fcf1b2083935bd298a2ece8d6d0c18712865a04b)

Suppress mediaprover access to certain cache dirs
182dbeb6 · Jeff Vander Stoep · Jerry Zhang · 63f46773 · 182dbeb6
Commit 182dbeb6 authored 7 years ago by Jeff Vander Stoep Committed by Jerry Zhang 7 years ago
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -14,6 +14,11 @@ allow mediaprovider cache_file:dir create_dir_perms;
 allow mediaprovider cache_file:file create_file_perms;
 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
 allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;