Extend mediaextractor file read permissions

Permit mediaextractor its own file source for apk and ringtone files. Previously we fall back to the mediaserver file source. This does not affect behavior as the fallback works fine; however, the log messages may cause confusion. [73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read } for pid=18381 comm="generic" path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35" ino=2490374 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0 [73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read } for pid=18383 comm="generic" path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35" ino=2490376 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0 Test: Ringtone and CTS Bug: 37500781 Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998

Extend mediaextractor file read permissions
Permit mediaextractor its own file source for apk and ringtone files. Previously we fall back to the mediaserver file source. This does not affect behavior as the fallback works fine; however, the log messages may cause confusion. [73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read } for pid=18381 comm="generic" path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35" ino=2490374 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0 [73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read } for pid=18383 comm="generic" path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35" ino=2490376 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0 Test: Ringtone and CTS Bug: 37500781 Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998
f239fcf5 · Andy Hung · 0d1b2ce1 · f239fcf5
Commit f239fcf5 authored 7 years ago by Andy Hung
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,6 +23,11 @@ crash_dump_fallback(mediaextractor)
 # allow mediaextractor read permissions for file sources
 allow mediaextractor media_rw_data_file:file { getattr read };

+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
 ###
 ### neverallow rules
 ###