Allow mediaserver to access vendor_app_file
Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.
avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0
Bug: 78436043
(fix CTS bug: 80163922)
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063
(cherry picked from commit 3623c2b6c0e7cafa56bf1f579845f5b45e683436)
diff --git a/public/domain.te b/public/domain.te
index d2b370a..acbae69 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -691,6 +691,7 @@
-installd
-postinstall_dexopt
-system_server
+ -mediaserver
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6efaf0f..93783fb 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -102,6 +102,9 @@
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights