Merge "Switch Bluetooth HAL policy to _client/_server"
diff --git a/private/audioserver.te b/private/audioserver.te
index 17abd83..95a7521 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,5 +43,14 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index aa7d107..f2364a7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -29,5 +29,14 @@
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/domain.te b/public/domain.te
index 9993f2f..e2c71da 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@
-system_server
-shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
diff --git a/public/fsck.te b/public/fsck.te
index 2f0a838..8f3b17a 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
r_dir_file(fsck, proc)
allow fsck rootfs:dir r_dir_perms;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 98806dd..a9dd805 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@
r_dir_file(fsck_untrusted, proc)
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
###
### neverallow rules
###
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6b4d677..f8986de 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index deecc00..dc7c90e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 84d184b..ce2dab7 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;