From d329e7ebc96cf8aa18bdd543c09dd1b091d1d259 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 6 Oct 2017 13:05:32 -0700
Subject: [PATCH] mediaextractor: ensure no direct open()s

Mediaextractor should only be operating on data passed directly to it.
It shouldn't be attempting to open /data files on it's own.

Add a neverallow statement (compile time assertion + CTS test) to ensure
this is the case.

Bug: 67454004
Test: policy compiles. No runtime impact.
Change-Id: Ie94d4cb9aece7e72fbd13321f339dcf9d44d5d77
---
 public/mediaextractor.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 915d47825..f8e8a6b39 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -53,3 +53,11 @@ neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+  data_file_type
+  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+}:file open;
-- 
GitLab