buildtime/cts enforce no inet access for media domains Bug: 28348382 Change-Id: Iaab1430750dfbb997900d3d70993c9fff2a8745d

commit: 21f77f630b656b9acc034a04e5bf2303118937b0 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Apr 22 15:34:40 2016 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Fri Apr 22 15:39:00 2016 -0700
tree: 78e6e14c452a5c4b0e1c77f04d31b8867869c511
parent: 10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff] [blame]
diff --git a/mediacodec.te b/mediacodec.te
index adba40b..3d3625a 100644
--- a/mediacodec.te
+++ b/mediacodec.te

@@ -26,6 +26,5 @@
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 
-# mediacodec should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
commit	21f77f630b656b9acc034a04e5bf2303118937b0	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Apr 22 15:34:40 2016 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Fri Apr 22 15:39:00 2016 -0700
tree	78e6e14c452a5c4b0e1c77f04d31b8867869c511
parent	10908ff29dfb654787f99f1e4ea7e4bf2c93aec9 [diff] [blame]