Allow mediaserver to access vendor_app_file Currently, when vendor APK try to use MediaPlayer to play its audio resource, it would fail due to this neverallow rules. avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0 Bug: 78436043 (fix CTS bug: 80163922) Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063 (cherry picked from commit 3623c2b6c0e7cafa56bf1f579845f5b45e683436)

commit: d53f0737d145ff064314082b6cd818e1bb439b73 [log] [tgz]
author: Zheng Zhang <zhzh@google.com> Mon Apr 23 20:47:05 2018 -0700
committer: Zheng Zhang <zhzh@google.com> Fri May 25 17:39:38 2018 +0000
tree: d8f75fb8207504414c683f9b35762a77011df545
parent: 473cc5e17d09911f0ffea82bbef26ca1896086a6 [diff]
diff --git a/public/domain.te b/public/domain.te
index d2b370a..acbae69 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -691,6 +691,7 @@
         -installd
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:{ file lnk_file } r_file_perms;
 
     # Limit access to /vendor/overlay

diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6efaf0f..93783fb 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -102,6 +102,9 @@
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights
commit	d53f0737d145ff064314082b6cd818e1bb439b73	[log] [tgz]
author	Zheng Zhang <zhzh@google.com>	Mon Apr 23 20:47:05 2018 -0700
committer	Zheng Zhang <zhzh@google.com>	Fri May 25 17:39:38 2018 +0000
tree	d8f75fb8207504414c683f9b35762a77011df545
parent	473cc5e17d09911f0ffea82bbef26ca1896086a6 [diff]