Allow stat/read of /data/media files by app domains.

Resolves denials such as: avc: denied { read } for pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-04 13:44:01 -05:00 · 2014-03-04 13:44:01 -05:00 · 2737ceff23
commit 2737ceff23
parent 495e9d12b9
2 changed files with 3 additions and 4 deletions
--- a/app.te
+++ b/app.te
@ -108,6 +108,9 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;

+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow appdomain media_rw_data_file:file { read getattr };
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
--- a/bluetooth.te
+++ b/bluetooth.te
@ -47,10 +47,6 @@ allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;

-# Allow reading of media_rw_data_file file descriptors
-# passed to bluetooth
-allow bluetooth media_rw_data_file:file { read getattr };
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;