From 38c12828da157dfecd53cf20de5a67092cc1482d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 16 Feb 2017 12:34:51 -0800
Subject: [PATCH] Add documentation on neverallow rules

Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
---
 private/audioserver.te   | 11 ++++++++++-
 public/cameraserver.te   | 11 ++++++++++-
 public/mediacodec.te     | 11 ++++++++++-
 public/mediaextractor.te | 11 ++++++++++-
 public/mediametrics.te   | 11 ++++++++++-
 5 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/private/audioserver.te b/private/audioserver.te
index 17abd837d..95a752169 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@ allow audioserver audio_data_file:file create_file_perms;
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index aa7d107f3..f2364a7ae 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -29,5 +29,14 @@ allow cameraserver surfaceflinger_service:service_manager find;
 # domain transition
 neverallow cameraserver { file_type fs_type }:file execute_no_trans;
 
-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6b4d67718..f8986de0c 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@ allow mediacodec system_file:dir { open read };
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 
-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index deecc00ba..dc7c90e0a 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@ allow mediaextractor proc_meminfo:file r_file_perms;
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 
-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 84d184bd9..ce2dab722 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@ allow mediametrics proc_meminfo:file r_file_perms;
 # domain transition
 neverallow mediametrics { file_type fs_type }:file execute_no_trans;
 
-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
-- 
GitLab