Add drm and kernel permissions to mediaprovider

These were missing when the sepolicy was migrated. Addresses denials: E SELinux : avc: denied { find } for service=drm.drmManager pid=11769 uid=10018 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg" dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0 tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0 Bug: 37685394 Bug: 37686255 Test: Sync files Test: Open downloaded file Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d

Add drm and kernel permissions to mediaprovider
6f9ac6e4 · Jerry Zhang · 9f152d98 · 6f9ac6e4 · 6f9ac6e4
Commit 6f9ac6e4 authored 7 years ago by Jerry Zhang
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -17,6 +17,7 @@ allow mediaprovider cache_file:lnk_file r_file_perms;

 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
 allow mediaprovider mediaserver_service:service_manager find;
 allow mediaprovider surfaceflinger_service:service_manager find;


--- a/public/kernel.te
+++ b/public/kernel.te
@@ -50,6 +50,9 @@ allow kernel self:security setcheckreqprot;
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
 allow kernel sdcard_type:file { read write };

+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
 # Allow the kernel to read OBB files from app directories. (b/17428116)
 # Kernel thread "loop0" reads a vold supplied file descriptor.
 # Fixes CTS tests: