mediacodec: allow dir read in /vendor
avc: denied { read } for name="hw" dev="dm-1" ino=97
scontext=u:r:mediacodec:s0 tcontext=u:object_r:system_file:s0
tclass=dir
Test: marlin builds and boots without this denial
Bug: 35197529
Change-Id: Ib1b875bcfa0e8d2358303e4eb004983433b0a13a
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 805baa0..1c7e243 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -1,6 +1,9 @@
allow mediacodec perfd:unix_stream_socket connectto;
allow mediacodec perfd_data_file:dir search;
allow mediacodec perfd_data_file:sock_file write;
+
+allow mediacodec system_file:dir r_dir_perms;
+
allow mediacodec sysfs_soc:dir search;
allow mediacodec sysfs_soc:file r_file_perms;
# Only allow gpu ioctl commands that have been demonstrated to be necessary.
