From 1fd0aa2bf17927bac39fc4db6c19a1302737d427 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 5 Jan 2016 08:54:11 -0800
Subject: [PATCH] mediaextractor: neverallow network access

Disallow access to all sockets other than unix_stream and unix_dgram

Change-Id: Ie8ff80db7051ce57e56ef0365a4873aacdd5b652
---
 mediaextractor.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/mediaextractor.te b/mediaextractor.te
index 4ce25e916..13ea661e8 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -40,3 +40,13 @@ allow mediaextractor drmserver:drmservice {
 # mediaextractor should never execute any executable without a
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# mediaextractor should never need network access. Disallow all sockets
+# other than unix sockets i.e. unix_stream_socket and unix_dgram_socket
+neverallow mediaextractor domain:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+  key_socket appletalk_socket netlink_route_socket netlink_firewall_socket
+  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+  netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  } *;