Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

commit: 4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Apr 16 07:49:49 2018 -0700
committer: Jeffrey Vander Stoep <jeffv@google.com> Wed Apr 18 19:53:03 2018 +0000
tree: 7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent: 5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb1..ca18c03 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -258,3 +258,8 @@
 
 # Untrusted apps are not allowed to find mediaextractor update service.
 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Untrusted apps are not allowed to use the signature|privileged|development
+# android.permission.READ_LOGS permission, so they may not read dropbox files.
+# Access to the the dropbox directory is covered by a neverallow for domain.
+neverallow all_untrusted_apps dropbox_data_file:file *;
commit	4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Apr 16 07:49:49 2018 -0700
committer	Jeffrey Vander Stoep <jeffv@google.com>	Wed Apr 18 19:53:03 2018 +0000
tree	7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent	5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]