sepolicy: Put theme service in its own context

Allow the theme manager and its data to be sandboxed in
its own context

Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284
This commit is contained in:
d34d 2016-07-20 11:02:12 -07:00 committed by Clark Scheff
parent 7f81f3ce33
commit 79eda9ebb8
13 changed files with 48 additions and 15 deletions

View File

@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
allow appdomain sdcard_posix:file rw_file_perms;
# Themed resources (i.e. composed icons)
allow appdomain theme_data_file:dir r_dir_perms;
allow appdomain theme_data_file:file r_file_perms;
allow appdomain themeservice_app_data_file:dir r_dir_perms;
allow appdomain themeservice_app_data_file:file r_file_perms;

View File

@ -1,3 +1,3 @@
# Themed resources (bootanimation)
allow bootanim theme_data_file:dir search;
allow bootanim theme_data_file:file r_file_perms;
allow bootanim themeservice_app_data_file:dir search;
allow bootanim themeservice_app_data_file:file r_file_perms;

View File

@ -1 +1 @@
allow drmserver theme_data_file:file r_file_perms;
allow drmserver themeservice_app_data_file:file r_file_perms;

View File

@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
type auditd_log, file_type, data_file_type;
# Themes
type theme_data_file, file_type, data_file_type;
type themeservice_app_data_file, file_type, data_file_type;
# Performance settings
type sysfs_devices_system_iosched, file_type, sysfs_type;

View File

@ -7,7 +7,7 @@
/data/misc/audit(/.*)? u:object_r:auditd_log:s0
# Themes
/data/system/theme(/.*)? u:object_r:theme_data_file:s0
/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0
/system/bin/sysinit u:object_r:sysinit_exec:s0

View File

@ -1,3 +1,8 @@
# Allow querying of asec size on SD card
allow installd sdcard_external:dir { search };
allow installd sdcard_external:file { getattr };
# Required for installd to create theme service's /data/data directory
allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };

View File

@ -21,4 +21,11 @@
<seinfo value="cmupdater" />
</package>
</signer>
<!-- ThemeManagerService -->
<signer signature="@RELEASE" >
<package name="org.cyanogenmod.themeservice" >
<seinfo value="themeservice" />
</package>
</signer>
</policy>

View File

@ -1,6 +1,6 @@
# Themed resources (i.e. composed icons)
allow mediaserver theme_data_file:dir r_dir_perms;
allow mediaserver theme_data_file:file r_file_perms;
allow mediaserver themeservice_app_data_file:dir r_dir_perms;
allow mediaserver themeservice_app_data_file:file r_file_perms;
# For camera
allow mediaserver media_rw_data_file:file write;

View File

@ -5,8 +5,9 @@ allow dumpstate resourcecache_data_file:dir r_dir_perms;
allow dumpstate resourcecache_data_file:file r_file_perms;
allow dumpstate fuse:dir r_dir_perms;
allow dumpstate fuse:file r_file_perms;
allow dumpstate theme_data_file:dir r_dir_perms;
allow dumpstate theme_data_file:file r_file_perms;
allow dumpstate themeservice_app_data_file:dir r_dir_perms;
allow dumpstate themeservice_app_data_file:file r_file_perms;
allow dumpstate media_rw_data_file:dir search;
allow dumpstate sdcardfs:file getattr;
allow dumpstate sdcardfs:dir search;

View File

@ -1,3 +1,4 @@
user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
user=theme_man domain=system_app type=system_data_file
user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file

View File

@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
allow system_server dhcp_data_file:file r_file_perms;
# Themes
allow system_server theme_data_file:dir create_dir_perms;
allow system_server theme_data_file:file create_file_perms;
allow system_server themeservice_app_data_file:dir create_dir_perms;
allow system_server themeservice_app_data_file:file create_file_perms;
allow system_server resourcecache_data_file:dir create_dir_perms;
allow system_server resourcecache_data_file:file create_file_perms;

View File

@ -0,0 +1,19 @@
# Add themeservice_app to appdomain
type themeservice_app, domain;
app_domain(themeservice_app)
# Theme manager service
allow themeservice_app activity_service:service_manager find;
allow themeservice_app cm_status_bar_service:service_manager find;
allow themeservice_app cm_themes_service:dir search;
allow themeservice_app connectivity_service:service_manager find;
allow themeservice_app display_service:service_manager find;
allow themeservice_app mount_service:service_manager find;
allow themeservice_app notification_service:service_manager find;
allow themeservice_app system_app_data_file:dir search;
allow themeservice_app user_service:service_manager find;
allow themeservice_app wallpaper_service:service_manager find;
# Allow full access to themeservice_app_data_file
allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
allow themeservice_app themeservice_app_data_file:file create_file_perms;

View File

@ -1,5 +1,5 @@
allow zygote theme_data_file:file r_file_perms;
allow zygote theme_data_file:dir r_dir_perms;
allow zygote themeservice_app_data_file:file r_file_perms;
allow zygote themeservice_app_data_file:dir r_dir_perms;
# ps command may do this
allow untrusted_app zygote:process getsched;