Suppress mediaprover access to certain cache dirs avc: denied { getattr } for comm="sAsyncHandlerTh" path="/data/cache/recovery" dev="sda13" ino=7086082 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir avc: denied { getattr } for path="/data/cache/backup" scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:cache_private_backup_file:s0 tclass=dir Bug: 63038506 Bug: 35197529 Test: build police Change-Id: I51624c255e622bf712d41ca1bbf190ec3e4fefae (cherry picked from commit fcf1b2083935bd298a2ece8d6d0c18712865a04b)

commit: 182dbeb603120104adca7fe2fe1f63c8613b98d4 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Jun 26 16:58:51 2017 -0700
committer: Jerry Zhang <zhangjerry@google.com> Thu Nov 09 18:39:58 2017 +0000
tree: 94085aabf4dc03088909347795a815009ee814d1
parent: 63f4677342eb93dd2ac90187671a52282190533a [diff]
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5a5e701..2c4a809 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te

@@ -14,6 +14,11 @@
 allow mediaprovider cache_file:file create_file_perms;
 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
 allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
 
 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
commit	182dbeb603120104adca7fe2fe1f63c8613b98d4	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Jun 26 16:58:51 2017 -0700
committer	Jerry Zhang <zhangjerry@google.com>	Thu Nov 09 18:39:58 2017 +0000
tree	94085aabf4dc03088909347795a815009ee814d1
parent	63f4677342eb93dd2ac90187671a52282190533a [diff]