From 182dbeb603120104adca7fe2fe1f63c8613b98d4 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 26 Jun 2017 16:58:51 -0700
Subject: [PATCH] Suppress mediaprover access to certain cache dirs

avc: denied { getattr } for comm="sAsyncHandlerTh"
path="/data/cache/recovery" dev="sda13" ino=7086082
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
avc: denied { getattr } for path="/data/cache/backup"
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_private_backup_file:s0 tclass=dir

Bug: 63038506
Bug: 35197529
Test: build police
Change-Id: I51624c255e622bf712d41ca1bbf190ec3e4fefae
(cherry picked from commit fcf1b2083935bd298a2ece8d6d0c18712865a04b)
---
 private/mediaprovider.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5a5e701bf..2c4a8094a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -14,6 +14,11 @@ allow mediaprovider cache_file:dir create_dir_perms;
 allow mediaprovider cache_file:file create_file_perms;
 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
 allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
 
 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
-- 
GitLab