Merge "mediaextractor: neverallow network access"

2016-01-05 17:49:56 +00:00 · 2016-01-05 17:49:56 +00:00 · ccc8e4f992
commit ccc8e4f992
parent a8d89c3102 1fd0aa2bf1
1 changed files with 10 additions and 0 deletions
--- a/mediaextractor.te
+++ b/mediaextractor.te
@ -40,3 +40,13 @@ allow mediaextractor drmserver:drmservice {
 # mediaextractor should never execute any executable without a
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# mediaextractor should never need network access. Disallow all sockets
+# other than unix sockets i.e. unix_stream_socket and unix_dgram_socket
+neverallow mediaextractor domain:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+  key_socket appletalk_socket netlink_route_socket netlink_firewall_socket
+  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+  netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  } *;