Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

commit: 4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Mon Apr 16 07:49:49 2018 -0700
committer: Jeffrey Vander Stoep <jeffv@google.com> Wed Apr 18 19:53:03 2018 +0000
tree: 7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent: 5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050..efb768b 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -24,6 +24,9 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Read access to FDs from the DropboxManagerService.
+allow system_app dropbox_data_file:file { getattr read };
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
commit	4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Mon Apr 16 07:49:49 2018 -0700
committer	Jeffrey Vander Stoep <jeffv@google.com>	Wed Apr 18 19:53:03 2018 +0000
tree	7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent	5a5894a979d09035777558678e18fac1bfdebba5 [diff] [blame]