From 21f77f630b656b9acc034a04e5bf2303118937b0 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 22 Apr 2016 15:34:40 -0700
Subject: [PATCH] buildtime/cts enforce no inet access for media domains

Bug: 28348382
Change-Id: Iaab1430750dfbb997900d3d70993c9fff2a8745d
---
 audioserver.te    | 2 ++
 cameraserver.te   | 3 +++
 mediacodec.te     | 5 ++---
 mediaextractor.te | 5 ++---
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/audioserver.te b/audioserver.te
index 08654978c..6f6d95571 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -48,3 +48,5 @@ unix_socket_connect(audioserver, bluetooth, bluetooth)
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/cameraserver.te b/cameraserver.te
index 6520969a7..4f50f8d94 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -34,3 +34,6 @@ allow cameraserver surfaceflinger_service:service_manager find;
 # cameraserver should never execute any executable without a
 # domain transition
 neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# cameraserver should never need network access. Disallow network sockets.
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediacodec.te b/mediacodec.te
index adba40be8..3d3625ab7 100644
--- a/mediacodec.te
+++ b/mediacodec.te
@@ -26,6 +26,5 @@ allow mediacodec ion_device:chr_file rw_file_perms;
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 
-# mediacodec should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediaextractor.te b/mediaextractor.te
index 5936eb6ea..3ebb5b70f 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -21,6 +21,5 @@ allow mediaextractor mediaextractor_service:service_manager add;
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 
-# mediaextractor should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediaextractor { domain -debuggerd -dumpstate -adbd -mediaextractor -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediaextractor should never need network access. Disallow network sockets.
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
-- 
GitLab