From f239fcf5f277eea44be38b11048f86bff60af6c8 Mon Sep 17 00:00:00 2001
From: Andy Hung <hunga@google.com>
Date: Wed, 19 Apr 2017 10:05:38 -0700
Subject: [PATCH] Extend mediaextractor file read permissions

Permit mediaextractor its own file source for apk and ringtone files.

Previously we fall back to the mediaserver file source.
This does not affect behavior as the fallback works fine; however,
the log messages may cause confusion.

    [73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read }
    for pid=18381 comm="generic"
    path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35"
    ino=2490374 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
    [73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read }
    for pid=18383 comm="generic"
    path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35"
    ino=2490376 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0

Test: Ringtone and CTS
Bug: 37500781

Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998
---
 public/mediaextractor.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 969c1a570..e1b460d65 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,6 +23,11 @@ crash_dump_fallback(mediaextractor)
 # allow mediaextractor read permissions for file sources
 allow mediaextractor media_rw_data_file:file { getattr read };
 
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
 ###
 ### neverallow rules
 ###
-- 
GitLab