commit 4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b
author Jeff Vander Stoep <jeffv@google.com> Mon Apr 16 07:49:49 2018 -0700
committer Jeffrey Vander Stoep <jeffv@google.com> Wed Apr 18 19:53:03 2018 +0000
tree 7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent 5a5894a979d09035777558678e18fac1bfdebba5

Protect dropbox service data with selinux

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 4e2a765..31cc59d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,6 +432,7 @@
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)?      u:object_r:dropbox_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
 /data/misc/wmtrace(/.*)?        u:object_r:wm_trace_data_file:s0