From b93f04945a16eb770c4bfd42568b04e62e64706c Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Wed, 29 Mar 2017 14:53:09 -0700
Subject: [PATCH] Add media services to ephemeral_app

Test: denials go away
Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8
---
 private/ephemeral_app.te     | 7 +++++++
 private/untrusted_app_all.te | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 92890273a..2d4b1f15c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -20,6 +20,13 @@ app_domain(ephemeral_app)
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
 # services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 993b3d0e3..73aa79e90 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -1,7 +1,8 @@
 ###
 ### Untrusted_app_all.
 ###
-### This file defines the rules shared by all untrusted app domains.
+### This file defines the rules shared by all untrusted app domains except
+### ephemeral apps.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
-- 
GitLab