Add documentation on neverallow rules

Better document the reasons behind the neverallow for tcp/udp sockets. Test: policy compiles. Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9

Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets. Test: policy compiles. Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
38c12828 · Nick Kralevich · 3a8426bf · 38c12828 · 38c12828 · 38c12828
Commit 38c12828 authored 8 years ago by Nick Kralevich
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@ allow audioserver audio_data_file:file create_file_perms;
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;

-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -29,5 +29,14 @@ allow cameraserver surfaceflinger_service:service_manager find;
 # domain transition
 neverallow cameraserver { file_type fs_type }:file execute_no_trans;

-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@ allow mediacodec system_file:dir { open read };
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;

-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@ allow mediaextractor proc_meminfo:file r_file_perms;
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;

-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@ allow mediametrics proc_meminfo:file r_file_perms;
 # domain transition
 neverallow mediametrics { file_type fs_type }:file execute_no_trans;

-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;