Limit mediaserver access to vendor_app_file

mediaserver is receiving a file passed as a file descriptor. Just read and map is enough, and open should not be allowed for mediaserver. Bug: 78436043

Limit mediaserver access to vendor_app_file
mediaserver is receiving a file passed as a file descriptor. Just read and map is enough, and open should not be allowed for mediaserver. Bug: 78436043
cc82d194 · Zheng Zhang · 50ca0a0d · cc82d194
Commit cc82d194 authored 6 years ago by Zheng Zhang
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -96,7 +96,7 @@ allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;

 # /vendor apk access
-allow mediaserver vendor_app_file:file r_file_perms;
+allow mediaserver vendor_app_file:file { read map };

 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {