On 11/28/2012 11:20 AM, Peck, Michael A wrote:
I have an app that records audio and writes it into a file in the app’s own internal storage directory, but it’s generating a denial message in dmesg.<5>[ 764.181424] type=1400 audit(1353954893.125:9): avc: denied { write } for pid=1453 comm="IntentService[R" path="/data/data/org.testapp /files/1353954893122.3gp" dev=mmcblk0p2 ino=49443 scontext=u:r:mediaserver:s0 tcontext=u:object_r:app_data_file:s0:c45,c256 tclass=file Fixed by adding allow mediaserver app_data_file:file write; to mediaserver.te which is hopefully safe and appropriate to do? (I’m new here) I believe the application itself opens the file, then passes the file descriptor to the mediaserver and the mediaserver writes to it. (Relevant AOSP code is in frameworks/base/media/java/android/media/MediaRecorder.java) Some of my application code (can provide more if helpful): MediaRecorder mRecorder = *new*MediaRecorder(); mRecorder.setAudioSource(MediaRecorder.AudioSource./MIC/); mRecorder.setOutputFormat(MediaRecorder.OutputFormat./THREE_GPP/); String fileName = System./currentTimeMillis/() + ".3gp"; *try*{ mRecorder.setOutputFile(openFileOutput(fileName, /MODE_PRIVATE/).getFD()); } setOutputFile can also be called with a String (path to the file) rather than called with a file descriptor, but I think (from a quick glance at the code) in that case the MediaRecorder code still has the application open the file and pass the file descriptor to the mediaserver.
Your policy change seems reasonable, except that I would merge it into the existing allow rule between mediaserver and app_data_file, i.e.
allow mediaserver app_data_file:file rw_file_perms; -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
