From 7cbe44f2444b27bc81499bc0c8af362080b66c3b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 31 Jan 2014 13:20:20 -0800
Subject: [PATCH] drmserver: allow looking in efs_file directories

We can read any efs_files, but can't look in the directory
containing them. Allow it.

Without this patch, high resolution movie playback is broken.

Addresses the following denial:

[  276.780046] type=1400 audit(1391105234.431:5): avc:  denied  { search } for  pid=125 comm="drmserver" name="/" dev="mmcblk0p1" ino=2 scontext=u:r:drmserver:s0 tcontext=u:object_r:efs_file:s0 tclass=dir

Bug: 12819852

Change-Id: Ie9d13a224cef5e229de1bdb78d605841ed387a21
---
 drmserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drmserver.te b/drmserver.te
index ba6b5c562..2fbb6613e 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -23,7 +23,7 @@ allow drmserver tee_device:chr_file rw_file_perms;
 allow drmserver platform_app_data_file:file { read write getattr };
 allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
-allow drmserver efs_file:file { open read getattr };
+r_dir_file(drmserver, efs_file)
 
 type drmserver_socket, file_type;
 
-- 
GitLab