audioserver: drop inet group

The audioserver process is specifically prohibited from accessing the network. See 7ca6fc8629/private/audioserver.te (91) line 91 # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *; Since SELinux doesn't allow audioserver to access tcp/udp sockets, it doesn't make any sense to have audioserver be in the inet group. Discovered while reviewing https://android-review.googlesource.com/c/platform/frameworks/base/+/968497 Similarly, I suspect other groups listed here are also unnecessary and can be cleaned up in a future commit. Test: compiles and boots Change-Id: Ic331f301565aee911de30322dd4c3811529597ee
5 years ago · f6f60c008a
parent e066f91c0f
commit f6f60c008a
1 changed files with 1 additions and 1 deletions
--- a/media/audioserver/audioserver.rc
+++ b/media/audioserver/audioserver.rc
@ -2,7 +2,7 @@ service audioserver /system/bin/audioserver
    class core
    user audioserver
    # media gid needed for /dev/fm (radio) and for /data/misc/media (tee)
-    group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct wakelock
+    group audio camera drmrpc media mediadrm net_bt net_bt_admin net_bw_acct wakelock
    capabilities BLOCK_SUSPEND
    ioprio rt 4
    writepid /dev/cpuset/foreground/tasks /dev/stune/foreground/tasks