Allow system_server access to /data/media files passed via Binder.

Addresses denials such as: avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow system_server access to /data/media files passed via Binder.
2cc6d63d · Stephen Smalley · 84ed890a · 2cc6d63d
Commit 2cc6d63d authored 10 years ago by Stephen Smalley
--- a/system_server.te
+++ b/system_server.te
@@ -241,6 +241,9 @@ allow system_server system_app_data_file:file create_file_perms;
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };

+# Receive and use open /data/media files passed over binder IPC.
+allow system_server media_rw_data_file:file { getattr read write };
+
 # Read /file_contexts and /data/security/file_contexts
 security_access_policy(system_server)