From 6f9ac6e4ccf7b6410e8ef0aaa26817ea6b7b5916 Mon Sep 17 00:00:00 2001
From: Jerry Zhang <zhangjerry@google.com>
Date: Wed, 26 Apr 2017 10:18:30 -0700
Subject: [PATCH] Add drm and kernel permissions to mediaprovider
These were missing when the sepolicy was migrated.
Addresses denials:
E SELinux : avc: denied { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0
Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file
Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d
---
private/mediaprovider.te | 1 +
public/kernel.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 4be640118..63f56c876 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -17,6 +17,7 @@ allow mediaprovider cache_file:lnk_file r_file_perms;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
allow mediaprovider surfaceflinger_service:service_manager find;
diff --git a/public/kernel.te b/public/kernel.te
index e70528778..75043b815 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -50,6 +50,9 @@ allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
--
GitLab