Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.
While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.
Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb1..ca18c03 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,3 +258,8 @@
# Untrusted apps are not allowed to find mediaextractor update service.
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Untrusted apps are not allowed to use the signature|privileged|development
+# android.permission.READ_LOGS permission, so they may not read dropbox files.
+# Access to the the dropbox directory is covered by a neverallow for domain.
+neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ff2d4c..30f0d74 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -641,6 +641,7 @@
(typeattributeset system_block_device_26_0 (system_block_device))
(typeattributeset system_data_file_26_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c1f5e94..f8c86b0 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1359,6 +1359,7 @@
(typeattributeset system_block_device_27_0 (system_block_device))
(typeattributeset system_data_file_27_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
diff --git a/private/domain.te b/private/domain.te
index fb6ba4f..3a7ef42 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -116,3 +116,8 @@
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
diff --git a/private/file_contexts b/private/file_contexts
index 4e2a765..31cc59d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,6 +432,7 @@
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index f60597a..b147bd9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,6 +27,9 @@
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow platform_app dropbox_data_file:file { getattr read };
+
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5..3c2e641 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -53,6 +53,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow priv_app dropbox_data_file:file { getattr read };
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050..efb768b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,9 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Read access to FDs from the DropboxManagerService.
+allow system_app dropbox_data_file:file { getattr read };
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index e9cf303..da06de0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -391,6 +391,10 @@
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
+# Write to /data/system/dropbox
+allow system_server dropbox_data_file:dir create_dir_perms;
+allow system_server dropbox_data_file:file create_file_perms;
+
# Write to /data/system/heapdump
allow system_server heapdump_data_file:dir rw_dir_perms;
allow system_server heapdump_data_file:file create_file_perms;
diff --git a/public/file.te b/public/file.te
index 01b489d..aeb15dc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -202,6 +202,8 @@
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
diff --git a/public/init.te b/public/init.te
index 88357e5..3047037 100644
--- a/public/init.te
+++ b/public/init.te
@@ -164,11 +164,11 @@
allow init {
file_type
-app_data_file
- -runtime_event_log_tags_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_file