Merge "Add documentation on neverallow rules"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
bb46c335dc
5 changed files with 50 additions and 5 deletions
|
|
@ -43,5 +43,14 @@ allow audioserver audio_data_file:file create_file_perms;
|
|||
# domain transition
|
||||
neverallow audioserver { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# audioserver should never need network access. Disallow network sockets.
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
|
|||
|
|
@ -29,5 +29,14 @@ allow cameraserver surfaceflinger_service:service_manager find;
|
|||
# domain transition
|
||||
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# cameraserver should never need network access. Disallow network sockets.
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
|
|||
|
|
@ -31,5 +31,14 @@ allow mediacodec system_file:dir { open read };
|
|||
# domain transition
|
||||
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# mediacodec should never need network access. Disallow network sockets.
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
|
|||
|
|
@ -25,5 +25,14 @@ allow mediaextractor proc_meminfo:file r_file_perms;
|
|||
# domain transition
|
||||
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# mediaextractor should never need network access. Disallow network sockets.
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
|
|||
|
|
@ -22,5 +22,14 @@ allow mediametrics proc_meminfo:file r_file_perms;
|
|||
# domain transition
|
||||
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# mediametrics should never need network access. Disallow network sockets.
|
||||
# The goal of the mediaserver split is to place media processing code into
|
||||
# restrictive sandboxes with limited responsibilities and thus limited
|
||||
# permissions. Example: Audioserver is only responsible for controlling audio
|
||||
# hardware and processing audio content. Cameraserver does the same for camera
|
||||
# hardware/content. Etc.
|
||||
#
|
||||
# Media processing code is inherently risky and thus should have limited
|
||||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue