buildtime/cts enforce no inet access for media domains Bug: 28348382 Change-Id: Iaab1430750dfbb997900d3d70993c9fff2a8745d

commit: 21f77f630b656b9acc034a04e5bf2303118937b0 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Apr 22 15:34:40 2016 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Fri Apr 22 15:39:00 2016 -0700
tree: 78e6e14c452a5c4b0e1c77f04d31b8867869c511
parent: 10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff]
diff --git a/audioserver.te b/audioserver.te
index 0865497..6f6d955 100644
--- a/audioserver.te
+++ b/audioserver.te

@@ -48,3 +48,5 @@
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/cameraserver.te b/cameraserver.te
index 6520969..4f50f8d 100644
--- a/cameraserver.te
+++ b/cameraserver.te

@@ -34,3 +34,6 @@
 # cameraserver should never execute any executable without a
 # domain transition
 neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# cameraserver should never need network access. Disallow network sockets.
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/mediacodec.te b/mediacodec.te
index adba40b..3d3625a 100644
--- a/mediacodec.te
+++ b/mediacodec.te

@@ -26,6 +26,5 @@
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 
-# mediacodec should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/mediaextractor.te b/mediaextractor.te
index 5936eb6..3ebb5b7 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te

@@ -21,6 +21,5 @@
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 
-# mediaextractor should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediaextractor { domain -debuggerd -dumpstate -adbd -mediaextractor -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediaextractor should never need network access. Disallow network sockets.
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
commit	21f77f630b656b9acc034a04e5bf2303118937b0	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Apr 22 15:34:40 2016 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Fri Apr 22 15:39:00 2016 -0700
tree	78e6e14c452a5c4b0e1c77f04d31b8867869c511
parent	10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff]