aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Vander Stoep2018-04-16 09:49:49 -0500
committerJeffrey Vander Stoep2018-04-18 14:53:03 -0500
commit4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b (patch)
tree7c32389dcc778f9d0cd8c4f5f24673880761eb0b
parent5a5894a979d09035777558678e18fac1bfdebba5 (diff)
downloadsystem-sepolicy-4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b.tar.gz
system-sepolicy-4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b.tar.xz
system-sepolicy-4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b.zip
Protect dropbox service data with selinux
Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
-rw-r--r--private/app_neverallows.te5
-rw-r--r--private/compat/26.0/26.0.cil1
-rw-r--r--private/compat/27.0/27.0.cil1
-rw-r--r--private/domain.te5
-rw-r--r--private/file_contexts1
-rw-r--r--private/platform_app.te3
-rw-r--r--private/priv_app.te3
-rw-r--r--private/system_app.te3
-rw-r--r--private/system_server.te4
-rw-r--r--public/file.te2
-rw-r--r--public/init.te2
11 files changed, 29 insertions, 1 deletions
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb18..ca18c039 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,3 +258,8 @@ full_treble_only(`
258 258
259# Untrusted apps are not allowed to find mediaextractor update service. 259# Untrusted apps are not allowed to find mediaextractor update service.
260neverallow all_untrusted_apps mediaextractor_update_service:service_manager find; 260neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
261
262# Untrusted apps are not allowed to use the signature|privileged|development
263# android.permission.READ_LOGS permission, so they may not read dropbox files.
264# Access to the the dropbox directory is covered by a neverallow for domain.
265neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ff2d4c6..30f0d74c 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -641,6 +641,7 @@
641(typeattributeset system_block_device_26_0 (system_block_device)) 641(typeattributeset system_block_device_26_0 (system_block_device))
642(typeattributeset system_data_file_26_0 642(typeattributeset system_data_file_26_0
643 ( system_data_file 643 ( system_data_file
644 dropbox_data_file
644 vendor_data_file)) 645 vendor_data_file))
645(typeattributeset system_file_26_0 (system_file)) 646(typeattributeset system_file_26_0 (system_file))
646(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file)) 647(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c1f5e941..f8c86b08 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1359,6 +1359,7 @@
1359(typeattributeset system_block_device_27_0 (system_block_device)) 1359(typeattributeset system_block_device_27_0 (system_block_device))
1360(typeattributeset system_data_file_27_0 1360(typeattributeset system_data_file_27_0
1361 ( system_data_file 1361 ( system_data_file
1362 dropbox_data_file
1362 vendor_data_file)) 1363 vendor_data_file))
1363(typeattributeset system_file_27_0 (system_file)) 1364(typeattributeset system_file_27_0 (system_file))
1364(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file)) 1365(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
diff --git a/private/domain.te b/private/domain.te
index fb6ba4f7..3a7ef424 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -116,3 +116,8 @@ full_treble_only(`
116 -init 116 -init
117 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 117 }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
118') 118')
119
120# System_server owns dropbox data, and init creates/restorecons the directory
121# Disallow direct access by other processes.
122neverallow { domain -init -system_server } dropbox_data_file:dir *;
123neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
diff --git a/private/file_contexts b/private/file_contexts
index 4e2a7654..31cc59d5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,6 +432,7 @@
432/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0 432/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
433/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0 433/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
434/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0 434/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
435/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
435/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 436/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
436/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0 437/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
437/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0 438/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index f60597a7..b147bd9c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,6 +27,9 @@ allow platform_app asec_apk_file:file create_file_perms;
27allow platform_app media_rw_data_file:dir create_dir_perms; 27allow platform_app media_rw_data_file:dir create_dir_perms;
28allow platform_app media_rw_data_file:file create_file_perms; 28allow platform_app media_rw_data_file:file create_file_perms;
29 29
30# Read access to FDs from the DropboxManagerService.
31allow platform_app dropbox_data_file:file { getattr read };
32
30# Write to /cache. 33# Write to /cache.
31allow platform_app cache_file:dir create_dir_perms; 34allow platform_app cache_file:dir create_dir_perms;
32allow platform_app cache_file:file create_file_perms; 35allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5b..3c2e6417 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -53,6 +53,9 @@ allow priv_app ota_package_file:file create_file_perms;
53allow priv_app media_rw_data_file:dir create_dir_perms; 53allow priv_app media_rw_data_file:dir create_dir_perms;
54allow priv_app media_rw_data_file:file create_file_perms; 54allow priv_app media_rw_data_file:file create_file_perms;
55 55
56# Read access to FDs from the DropboxManagerService.
57allow priv_app dropbox_data_file:file { getattr read };
58
56# Used by Finsky / Android "Verify Apps" functionality when 59# Used by Finsky / Android "Verify Apps" functionality when
57# running "adb install foo.apk". 60# running "adb install foo.apk".
58allow priv_app shell_data_file:file r_file_perms; 61allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index eb7e0505..efb768b9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,9 @@ allow system_app misc_user_data_file:file create_file_perms;
24# Access to vold-mounted storage for measuring free space 24# Access to vold-mounted storage for measuring free space
25allow system_app mnt_media_rw_file:dir search; 25allow system_app mnt_media_rw_file:dir search;
26 26
27# Read access to FDs from the DropboxManagerService.
28allow system_app dropbox_data_file:file { getattr read };
29
27# Read wallpaper file. 30# Read wallpaper file.
28allow system_app wallpaper_file:file r_file_perms; 31allow system_app wallpaper_file:file r_file_perms;
29 32
diff --git a/private/system_server.te b/private/system_server.te
index e9cf3030..da06de03 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -391,6 +391,10 @@ userdebug_or_eng(`
391allow system_server backup_data_file:dir create_dir_perms; 391allow system_server backup_data_file:dir create_dir_perms;
392allow system_server backup_data_file:file create_file_perms; 392allow system_server backup_data_file:file create_file_perms;
393 393
394# Write to /data/system/dropbox
395allow system_server dropbox_data_file:dir create_dir_perms;
396allow system_server dropbox_data_file:file create_file_perms;
397
394# Write to /data/system/heapdump 398# Write to /data/system/heapdump
395allow system_server heapdump_data_file:dir rw_dir_perms; 399allow system_server heapdump_data_file:dir rw_dir_perms;
396allow system_server heapdump_data_file:file create_file_perms; 400allow system_server heapdump_data_file:file create_file_perms;
diff --git a/public/file.te b/public/file.te
index 01b489d7..aeb15dc9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -202,6 +202,8 @@ type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrusted
202type property_data_file, file_type, data_file_type, core_data_file_type; 202type property_data_file, file_type, data_file_type, core_data_file_type;
203# /data/bootchart 203# /data/bootchart
204type bootchart_data_file, file_type, data_file_type, core_data_file_type; 204type bootchart_data_file, file_type, data_file_type, core_data_file_type;
205# /data/system/dropbox
206type dropbox_data_file, file_type, data_file_type, core_data_file_type;
205# /data/system/heapdump 207# /data/system/heapdump
206type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 208type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
207# /data/nativetest 209# /data/nativetest
diff --git a/public/init.te b/public/init.te
index 88357e52..30470376 100644
--- a/public/init.te
+++ b/public/init.te
@@ -164,11 +164,11 @@ allow init {
164allow init { 164allow init {
165 file_type 165 file_type
166 -app_data_file 166 -app_data_file
167 -runtime_event_log_tags_file
168 -exec_type 167 -exec_type
169 -keystore_data_file 168 -keystore_data_file
170 -misc_logd_file 169 -misc_logd_file
171 -nativetest_data_file 170 -nativetest_data_file
171 -runtime_event_log_tags_file
172 -shell_data_file 172 -shell_data_file
173 -system_app_data_file 173 -system_app_data_file
174 -system_file 174 -system_file