From 3623c2b6c0e7cafa56bf1f579845f5b45e683436 Mon Sep 17 00:00:00 2001
From: Zheng Zhang <zhzh@google.com>
Date: Mon, 23 Apr 2018 20:47:05 -0700
Subject: [PATCH] Allow mediaserver to access vendor_app_file

Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.

avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0

Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
---
 public/domain.te      | 1 +
 public/mediaserver.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 3a914d7b5..1dc2a41df 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -953,6 +953,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:file r_file_perms;
 ')
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index b20835a25..861d11d61 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights
-- 
GitLab