Limit mediaserver access to vendor_app_file

mediaserver is receiving a file passed as a file descriptor. Just read and map is enough, and open should not be allowed for mediaserver. Bug: 78436043
2018-08-17 16:15:09 -07:00 · 2018-08-17 16:15:09 -07:00 · cc82d194bd
commit cc82d194bd
parent 50ca0a0d18
1 changed files with 1 additions and 1 deletions
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@ -96,7 +96,7 @@ allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;

 # /vendor apk access
-allow mediaserver vendor_app_file:file r_file_perms;
+allow mediaserver vendor_app_file:file { read map };

 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {