From f8f4d3e10c38db80093cc3c28ad81f296fb7c6ab Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Tue, 7 Jun 2016 10:04:03 -0700
Subject: [PATCH] reduce mediaserver permissions

It no longer needs access to audio and camera

Bug: 22775369
Change-Id: I1de1f0e3504b214d6943733bf60eb83654b71048
---
 mediaserver.te | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/mediaserver.te b/mediaserver.te
index ed42a7c22..5fbaa3030 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -33,13 +33,9 @@ allow mediaserver sdcard_type:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
-allow mediaserver audio_device:dir r_dir_perms;
 
 set_prop(mediaserver, audio_prop)
 
-# Access audio devices at all.
-allow mediaserver audio_device:chr_file rw_file_perms;
-
 # XXX Label with a specific type?
 allow mediaserver sysfs:file r_file_perms;
 
@@ -59,14 +55,8 @@ allow mediaserver rpmsg_device:chr_file rw_file_perms;
 # Inter System processes communicate over named pipe (FIFO)
 allow mediaserver system_server:fifo_file r_file_perms;
 
-# Camera data
-r_dir_file(mediaserver, camera_data_file)
 r_dir_file(mediaserver, media_rw_data_file)
 
-# Grant access to audio files to mediaserver
-allow mediaserver audio_data_file:dir ra_dir_perms;
-allow mediaserver audio_data_file:file create_file_perms;
-
 # Grant access to read files on appfuse.
 allow mediaserver app_fuse_file:file { read getattr };
 
@@ -91,7 +81,6 @@ allow mediaserver tee:unix_stream_socket connectto;
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver cameraserver_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
-- 
GitLab