From 2cc6d63d5d88824527a7fd89a0cacf5702109eae Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 4 Jun 2014 13:36:48 -0400
Subject: [PATCH] Allow system_server access to /data/media files passed via
 Binder.

Addresses denials such as:
 avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system_server.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_server.te b/system_server.te
index 50c9d98b7..96edd06e1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -241,6 +241,9 @@ allow system_server system_app_data_file:file create_file_perms;
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
 
+# Receive and use open /data/media files passed over binder IPC.
+allow system_server media_rw_data_file:file { getattr read write };
+
 # Read /file_contexts and /data/security/file_contexts
 security_access_policy(system_server)
 
-- 
GitLab