commit 38c12828da157dfecd53cf20de5a67092cc1482d
author Nick Kralevich <nnk@google.com> Thu Feb 16 12:34:51 2017 -0800
committer Nick Kralevich <nnk@google.com> Fri Feb 17 22:37:23 2017 +0000
tree 52c33cffcdc4b53b4e117772cc91abcbba26e711
parent 3a8426bf890aa77ca2da4a000a298f860b9e530f

Add documentation on neverallow rules

Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9

private/audioserver.te

diff --git a/private/audioserver.te b/private/audioserver.te
index 17abd83..95a7521 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;