From a771671877d306804dbbf5a8e6baa03c877f890d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 4 Nov 2013 09:50:52 -0500
Subject: [PATCH] Label /data/misc/media and allow mediaserver access to it.

Otherwise we get denials like these on 4.4:

type=1400 audit(1383590170.360:29): avc:  denied  { write } for  pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { add_name } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { create } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc:  denied  { write open } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { write } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { open } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 file.te        | 1 +
 file_contexts  | 1 +
 mediaserver.te | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/file.te b/file.te
index 51684f324..5b71f8bc9 100644
--- a/file.te
+++ b/file.te
@@ -51,6 +51,7 @@ type gps_data_file, file_type, data_file_type;
 # /data/misc subdirectories
 type audio_firmware_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
+type media_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 83226aec4..d8315a1f6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -170,6 +170,7 @@
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
+/data/misc/media(/.*)?		u:object_r:media_data_file:s0
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
diff --git a/mediaserver.te b/mediaserver.te
index 6904f821c..51ae726e5 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -18,6 +18,8 @@ binder_service(mediaserver)
 
 allow mediaserver self:process execmem;
 allow mediaserver kernel:system module_request;
+allow mediaserver media_data_file:dir rw_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
-- 
GitLab