From 2737ceff233a32be67ebc6e3dba6e80b8df6df0a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 4 Mar 2014 13:44:01 -0500
Subject: [PATCH] Allow stat/read of /data/media files by app domains.

Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te       | 3 +++
 bluetooth.te | 4 ----
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index a6f584d22..8109ddb71 100644
--- a/app.te
+++ b/app.te
@@ -108,6 +108,9 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
 
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow appdomain media_rw_data_file:file { read getattr };
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/bluetooth.te b/bluetooth.te
index 474ca433e..c63dc02e1 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -47,10 +47,6 @@ allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;
 
-# Allow reading of media_rw_data_file file descriptors
-# passed to bluetooth
-allow bluetooth media_rw_data_file:file { read getattr };
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;
 
-- 
GitLab