From cc82d194bdbdafeecab804e183ad2ab899a513c0 Mon Sep 17 00:00:00 2001
From: Zheng Zhang <zhzh@google.com>
Date: Fri, 17 Aug 2018 16:15:09 -0700
Subject: [PATCH] Limit mediaserver access to vendor_app_file

mediaserver is receiving a file passed as a file descriptor. Just read
and map is enough, and open should not be allowed for mediaserver.

Bug: 78436043
---
 public/mediaserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/mediaserver.te b/public/mediaserver.te
index b9b08dd17..c0d4e701c 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -96,7 +96,7 @@ allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
 # /vendor apk access
-allow mediaserver vendor_app_file:file r_file_perms;
+allow mediaserver vendor_app_file:file { read map };
 
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
-- 
GitLab