Merge "mediaextractor: ensure no direct open()s" am: e22e99a68b am: ea17be6014 am: cbb0543d3f Change-Id: Ibf8ee8c6da1fbb3358179044c99861905751884c

commit: 6eef5589d2cc3562516f724788661f54e8d8d85a [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Oct 07 18:04:30 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Sat Oct 07 18:04:30 2017 +0000
tree: 2c792fcab99d1a8b721cbcbbd040078e5de62ffa
parent: 0011fd408c89e728c9ea49c781fe1673685efa88 [diff]
parent: cbb0543d3f836cd20708caca217fd03aac4071df [diff]
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 915d478..f8e8a6b 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -53,3 +53,11 @@
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+  data_file_type
+  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+}:file open;
commit	6eef5589d2cc3562516f724788661f54e8d8d85a	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Oct 07 18:04:30 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Sat Oct 07 18:04:30 2017 +0000
tree	2c792fcab99d1a8b721cbcbbd040078e5de62ffa
parent	0011fd408c89e728c9ea49c781fe1673685efa88 [diff]
parent	cbb0543d3f836cd20708caca217fd03aac4071df [diff]