The audioserver process is specifically prohibited from accessing the network.
See
7ca6fc8629/private/audioserver.te (91)
line 91
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
Since SELinux doesn't allow audioserver to access tcp/udp sockets, it
doesn't make any sense to have audioserver be in the inet group.
Discovered while reviewing
https://android-review.googlesource.com/c/platform/frameworks/base/+/968497
Similarly, I suspect other groups listed here are also unnecessary and
can be cleaned up in a future commit.
Test: compiles and boots
Change-Id: Ic331f301565aee911de30322dd4c3811529597ee
gugelfrei
parent
e066f91c0f
commit
f6f60c008a
Loading…
Reference in new issue