From 22b20c984f66efd81bbc1df762a68527b631a7f6 Mon Sep 17 00:00:00 2001
From: Zheng Zhang <zhzh@google.com>
Date: Mon, 23 Apr 2018 20:47:05 -0700
Subject: [PATCH] Allow mediaserver to access vendor apps

Currently, when vendor app use MediaPlayer to play its audio resource,
would failed due to this neverallow rules.

Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
---
 public/domain.te      | 1 +
 public/mediaserver.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 5b50afd8a..31f21887d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -955,6 +955,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:file r_file_perms;
 ')
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index f0c94edc0..e0fc76a59 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -99,6 +99,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights
-- 
GitLab