From 3fbc536dfd5afbce5ef45f18d0afb3516089ed88 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 27 Mar 2014 09:45:26 -0400 Subject: [PATCH] Allow reading of radio data files passed over binder. Addresses denials such as: avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file This does not allow write denials such as: avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file Need to understand whether write access is in fact required. Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468 Signed-off-by: Stephen Smalley --- app.te | 3 +++ drmserver.te | 3 +++ mediaserver.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/app.te b/app.te index 06ede7263..cd1d7752d 100644 --- a/app.te +++ b/app.te @@ -101,6 +101,9 @@ allow appdomain system_data_file:lnk_file getattr; # Allow read/stat of /data/media files passed by Binder or local socket IPC. allow appdomain media_rw_data_file:file { read getattr }; +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow appdomain radio_data_file:file { read getattr }; + # Access SDcard. allow appdomain sdcard_type:dir create_dir_perms; allow appdomain sdcard_type:file create_file_perms; diff --git a/drmserver.te b/drmserver.te index c8e0b2170..e2b62df2e 100644 --- a/drmserver.te +++ b/drmserver.te @@ -41,3 +41,6 @@ r_dir_file(drmserver, media_rw_data_file) # Read resources from open apk files passed over Binder. allow drmserver apk_data_file:file { read getattr }; allow drmserver asec_apk_file:file { read getattr }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow drmserver radio_data_file:file { read getattr }; diff --git a/mediaserver.te b/mediaserver.te index 43783d653..cdd9772b9 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -40,6 +40,9 @@ allow mediaserver sysfs:file rw_file_perms; allow mediaserver apk_data_file:file { read getattr }; allow mediaserver asec_apk_file:file { read getattr }; +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow mediaserver radio_data_file:file { read getattr }; + # Access camera device. allow mediaserver camera_device:chr_file rw_file_perms; allow mediaserver rpmsg_device:chr_file rw_file_perms;