diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-27 09:45:26 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-27 09:51:18 -0400 |
commit | 3fbc536dfd5afbce5ef45f18d0afb3516089ed88 (patch) | |
tree | f54f8c452034320faa4e27549e3b8b569f5bdd5d /drmserver.te | |
parent | 9fc0d40eff46d1319f282df68376c335c3115c36 (diff) | |
download | android_external_sepolicy-3fbc536dfd5afbce5ef45f18d0afb3516089ed88.tar.gz android_external_sepolicy-3fbc536dfd5afbce5ef45f18d0afb3516089ed88.tar.bz2 android_external_sepolicy-3fbc536dfd5afbce5ef45f18d0afb3516089ed88.zip |
Allow reading of radio data files passed over binder.
Addresses denials such as:
avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
This does not allow write denials such as:
avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
Need to understand whether write access is in fact required.
Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'drmserver.te')
-rw-r--r-- | drmserver.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drmserver.te b/drmserver.te index c8e0b21..e2b62df 100644 --- a/drmserver.te +++ b/drmserver.te @@ -41,3 +41,6 @@ r_dir_file(drmserver, media_rw_data_file) # Read resources from open apk files passed over Binder. allow drmserver apk_data_file:file { read getattr }; allow drmserver asec_apk_file:file { read getattr }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow drmserver radio_data_file:file { read getattr }; |