From 37339c763e9082573fcc86e14a6fb9d2d4b9d20c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 6 Jan 2014 12:39:19 -0800
Subject: [PATCH] fix mediaserver selinux denials.

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074
---
 drmserver.te      | 3 +++
 mediaserver.te    | 5 +++--
 surfaceflinger.te | 1 +
 system_server.te  | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/drmserver.te b/drmserver.te
index b465430ca..112d7a180 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -34,3 +34,6 @@ allow drmserver apk_data_file:dir rw_dir_perms;
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
 allow drmserver drmserver_socket:sock_file create_file_perms;
 allow drmserver tee:unix_stream_socket connectto;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
diff --git a/mediaserver.te b/mediaserver.te
index ab65bb73b..0105ffdad 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,6 +24,7 @@ allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
 allow mediaserver qemu_device:chr_file rw_file_perms;
@@ -47,8 +48,8 @@ allow mediaserver rpmsg_device:chr_file rw_file_perms;
 allow mediaserver system_server:fifo_file r_file_perms;
 
 # Camera data
-allow mediaserver camera_data_file:dir r_dir_perms;
-allow mediaserver camera_data_file:file r_file_perms;
+r_dir_file(mediaserver, camera_data_file)
+r_dir_file(mediaserver, media_rw_data_file)
 
 # Grant access to audio files to mediaserver
 allow mediaserver audio_data_file:dir ra_dir_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a2abf157a..c129d0759 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -21,6 +21,7 @@ allow surfaceflinger graphics_device:dir search;
 allow surfaceflinger graphics_device:chr_file rw_file_perms;
 
 # Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
 # Create and use netlink kobject uevent sockets.
diff --git a/system_server.te b/system_server.te
index 1b60ea716..09e6ec5d8 100644
--- a/system_server.te
+++ b/system_server.te
@@ -132,6 +132,7 @@ allow system_server input_device:chr_file rw_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
 allow system_server qemu_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;
-- 
GitLab