mediaextractor: ensure no direct open()s Mediaextractor should only be operating on data passed directly to it. It shouldn't be attempting to open /data files on it's own. Add a neverallow statement (compile time assertion + CTS test) to ensure this is the case. Bug: 67454004 Test: policy compiles. No runtime impact. Change-Id: Ie94d4cb9aece7e72fbd13321f339dcf9d44d5d77

commit: d329e7ebc96cf8aa18bdd543c09dd1b091d1d259 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Oct 06 13:05:32 2017 -0700
committer: Nick Kralevich <nnk@google.com> Sat Oct 07 15:01:24 2017 +0000
tree: 83a6d87239769bd888a95bd03ea28eb3a64390de
parent: 73b11f8799eb7de93e55b11b3cdcea9bb456c399 [diff]
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 915d478..f8e8a6b 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -53,3 +53,11 @@
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+  data_file_type
+  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+}:file open;
commit	d329e7ebc96cf8aa18bdd543c09dd1b091d1d259	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Oct 06 13:05:32 2017 -0700
committer	Nick Kralevich <nnk@google.com>	Sat Oct 07 15:01:24 2017 +0000
tree	83a6d87239769bd888a95bd03ea28eb3a64390de
parent	73b11f8799eb7de93e55b11b3cdcea9bb456c399 [diff]