Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets.
Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
diff --git a/private/audioserver.te b/private/audioserver.te
index 17abd83..95a7521 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index aa7d107..f2364a7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -29,5 +29,14 @@
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6b4d677..f8986de 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index deecc00..dc7c90e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 84d184b..ce2dab7 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;