From 6026a4adb94e7365f3c98f32a0599803354121e0 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 31 Aug 2018 15:07:42 -0700
Subject: [PATCH] app: Allow all apps to read dropbox FDs

DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
---
 private/app_neverallows.te | 5 -----
 private/platform_app.te    | 3 ---
 private/priv_app.te        | 3 ---
 private/system_app.te      | 3 ---
 public/app.te              | 3 +++
 5 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2ef14cce..8c530308a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,8 +265,3 @@ full_treble_only(`
 
 # Untrusted apps are not allowed to find mediaextractor update service.
 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
-# Untrusted apps are not allowed to use the signature|privileged|development
-# android.permission.READ_LOGS permission, so they may not read dropbox files.
-# Access to the the dropbox directory is covered by a neverallow for domain.
-neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/platform_app.te b/private/platform_app.te
index eec503a74..1ee65d363 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,9 +27,6 @@ allow platform_app asec_apk_file:file create_file_perms;
 allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
-# Read access to FDs from the DropboxManagerService.
-allow platform_app dropbox_data_file:file { getattr read };
-
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f24afc0d9..101c44809 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -54,9 +54,6 @@ allow priv_app ota_package_file:file create_file_perms;
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
-# Read access to FDs from the DropboxManagerService.
-allow priv_app dropbox_data_file:file { getattr read };
-
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 7a7411f4c..4ed19824e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,9 +24,6 @@ allow system_app misc_user_data_file:file create_file_perms;
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
-# Read access to FDs from the DropboxManagerService.
-allow system_app dropbox_data_file:file { getattr read };
-
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 
diff --git a/public/app.te b/public/app.te
index 932116e6a..62a63cdf1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -350,6 +350,9 @@ allow appdomain cache_file:dir getattr;
 # Allow apps to run with asanwrapper.
 with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
 
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab