From bf65c7ef5f63782737ac7605009717d7e1987462 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 13 Aug 2015 22:33:49 -0700
Subject: [PATCH] mediaserver: remove /system/bin/toolbox exec access

In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25efb0553576afadc157b86b65eedf2ef917, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9
---
 domain.te      | 4 ++--
 mediaserver.te | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 87422de98..3f29fb665 100644
--- a/domain.te
+++ b/domain.te
@@ -110,8 +110,8 @@ allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;
 
 # Run toolbox.
-# Kernel and init never run anything without changing domains.
-allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
+# Kernel, init, and mediaserver never run anything without changing domains.
+allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
 
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
diff --git a/mediaserver.te b/mediaserver.te
index af455538f..f38a3ec6f 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -105,3 +105,11 @@ allow mediaserver drmserver:drmservice {
     finalizeDecryptUnit
     pread
 };
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-- 
GitLab