Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

commit: 4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Apr 16 07:49:49 2018 -0700
committer: Jeffrey Vander Stoep <jeffv@google.com> Wed Apr 18 19:53:03 2018 +0000
tree: 7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent: 5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5..3c2e641 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -53,6 +53,9 @@
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
+# Read access to FDs from the DropboxManagerService.
+allow priv_app dropbox_data_file:file { getattr read };
+
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
commit	4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Apr 16 07:49:49 2018 -0700
committer	Jeffrey Vander Stoep <jeffv@google.com>	Wed Apr 18 19:53:03 2018 +0000
tree	7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent	5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]