From efc7299169d9376ba7edea22a10856be14d39d95 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 13 May 2014 08:07:31 -0400
Subject: [PATCH] Allow mediaserver to use app-created pipes.

Resolves denials such as:
 avc:  denied  { getattr } for  path="pipe:[167684]" dev="pipefs" ino=167684 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I1120c8b130a592e40992c5233650345640a23a87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 mediaserver.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mediaserver.te b/mediaserver.te
index 1e3c41ae7..6fdc0803b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -44,6 +44,9 @@ allow mediaserver asec_apk_file:file { read getattr };
 # Read /data/data/com.android.providers.telephony files passed over Binder.
 allow mediaserver radio_data_file:file { read getattr };
 
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
 # Access camera device.
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver rpmsg_device:chr_file rw_file_perms;
-- 
GitLab