Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
This commit is contained in:
parent
5a5894a979
commit
4d3ee1a5b6
@ -258,3 +258,8 @@ full_treble_only(`
|
||||
|
||||
# Untrusted apps are not allowed to find mediaextractor update service.
|
||||
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
|
||||
|
||||
# Untrusted apps are not allowed to use the signature|privileged|development
|
||||
# android.permission.READ_LOGS permission, so they may not read dropbox files.
|
||||
# Access to the the dropbox directory is covered by a neverallow for domain.
|
||||
neverallow all_untrusted_apps dropbox_data_file:file *;
|
||||
|
@ -641,6 +641,7 @@
|
||||
(typeattributeset system_block_device_26_0 (system_block_device))
|
||||
(typeattributeset system_data_file_26_0
|
||||
( system_data_file
|
||||
dropbox_data_file
|
||||
vendor_data_file))
|
||||
(typeattributeset system_file_26_0 (system_file))
|
||||
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
|
||||
|
@ -1359,6 +1359,7 @@
|
||||
(typeattributeset system_block_device_27_0 (system_block_device))
|
||||
(typeattributeset system_data_file_27_0
|
||||
( system_data_file
|
||||
dropbox_data_file
|
||||
vendor_data_file))
|
||||
(typeattributeset system_file_27_0 (system_file))
|
||||
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
|
||||
|
@ -116,3 +116,8 @@ full_treble_only(`
|
||||
-init
|
||||
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
||||
')
|
||||
|
||||
# System_server owns dropbox data, and init creates/restorecons the directory
|
||||
# Disallow direct access by other processes.
|
||||
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
||||
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
||||
|
@ -432,6 +432,7 @@
|
||||
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
|
||||
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
|
||||
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
|
||||
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
|
||||
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
|
||||
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
|
||||
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
|
||||
|
@ -27,6 +27,9 @@ allow platform_app asec_apk_file:file create_file_perms;
|
||||
allow platform_app media_rw_data_file:dir create_dir_perms;
|
||||
allow platform_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow platform_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Write to /cache.
|
||||
allow platform_app cache_file:dir create_dir_perms;
|
||||
allow platform_app cache_file:file create_file_perms;
|
||||
|
@ -53,6 +53,9 @@ allow priv_app ota_package_file:file create_file_perms;
|
||||
allow priv_app media_rw_data_file:dir create_dir_perms;
|
||||
allow priv_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow priv_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Used by Finsky / Android "Verify Apps" functionality when
|
||||
# running "adb install foo.apk".
|
||||
allow priv_app shell_data_file:file r_file_perms;
|
||||
|
@ -24,6 +24,9 @@ allow system_app misc_user_data_file:file create_file_perms;
|
||||
# Access to vold-mounted storage for measuring free space
|
||||
allow system_app mnt_media_rw_file:dir search;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow system_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Read wallpaper file.
|
||||
allow system_app wallpaper_file:file r_file_perms;
|
||||
|
||||
|
@ -391,6 +391,10 @@ userdebug_or_eng(`
|
||||
allow system_server backup_data_file:dir create_dir_perms;
|
||||
allow system_server backup_data_file:file create_file_perms;
|
||||
|
||||
# Write to /data/system/dropbox
|
||||
allow system_server dropbox_data_file:dir create_dir_perms;
|
||||
allow system_server dropbox_data_file:file create_file_perms;
|
||||
|
||||
# Write to /data/system/heapdump
|
||||
allow system_server heapdump_data_file:dir rw_dir_perms;
|
||||
allow system_server heapdump_data_file:file create_file_perms;
|
||||
|
@ -202,6 +202,8 @@ type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrusted
|
||||
type property_data_file, file_type, data_file_type, core_data_file_type;
|
||||
# /data/bootchart
|
||||
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
|
||||
# /data/system/dropbox
|
||||
type dropbox_data_file, file_type, data_file_type, core_data_file_type;
|
||||
# /data/system/heapdump
|
||||
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
||||
# /data/nativetest
|
||||
|
@ -164,11 +164,11 @@ allow init {
|
||||
allow init {
|
||||
file_type
|
||||
-app_data_file
|
||||
-runtime_event_log_tags_file
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
-nativetest_data_file
|
||||
-runtime_event_log_tags_file
|
||||
-shell_data_file
|
||||
-system_app_data_file
|
||||
-system_file
|
||||
|
Loading…
Reference in New Issue
Block a user