The goal of the mediaserver split is to place media processing code into restrictive sandboxes with limited responsibilities and thus limited permissions. Example: Audioserver is only responsible for controlling audio hardware and processing audio content. Cameraserver does the same for camera hardware/content. Etc.
Media processing code is inherently risky and thus should have limited permissions and be isolated from the rest of the system and network. Lengthier explanation here: https://android-developers.googleblog.com/2016/05/hardening-media-stack.html Neverallow rules are intended to enforce that, and prevent weakening of the security properties of the system. Many Apps and processes receive audio content over the network and use the audioserver sandbox to safely prepare and play it using audioserver's API. Please do the same. On Tue, Feb 14, 2017 at 7:54 PM Inamdar Sharif <isha...@nvidia.com> wrote: > Hi Guys, > > > > As part of the commit > https://android.googlesource.com/platform/system/sepolicy/+/21f77f630b656b9acc034a04e5bf2303118937b0 > > I see that we have added the neverallow rule only for some media domains > and not all. > > > > Mediaserver and mediadrmserver doesnot have this neverallow. Is it these > domains are accessing the network?? (Don’t see any rule for udp/tcp socket > permissions) > > > > Also are there any security implications due to which we have added these > neverallow?? > > > > Please help as we are trying to understand the security risk due to which > the neverallow is added. > > Also if these domains need to access the network through udp or tcp , is > there a way through which it can be done? > > > > Thanks. > > > > > > > > > > > ------------------------------ > This email message is for the sole use of the intended recipient(s) and > may contain confidential information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply email and destroy all copies > of the original message. > ------------------------------ > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
