sepolicy: Put theme service in its own context
Allow the theme manager and its data to be sandboxed in its own context Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284
This commit is contained in:
parent
7f81f3ce33
commit
79eda9ebb8
@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
|
||||
allow appdomain sdcard_posix:file rw_file_perms;
|
||||
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow appdomain theme_data_file:dir r_dir_perms;
|
||||
allow appdomain theme_data_file:file r_file_perms;
|
||||
allow appdomain themeservice_app_data_file:dir r_dir_perms;
|
||||
allow appdomain themeservice_app_data_file:file r_file_perms;
|
||||
|
@ -1,3 +1,3 @@
|
||||
# Themed resources (bootanimation)
|
||||
allow bootanim theme_data_file:dir search;
|
||||
allow bootanim theme_data_file:file r_file_perms;
|
||||
allow bootanim themeservice_app_data_file:dir search;
|
||||
allow bootanim themeservice_app_data_file:file r_file_perms;
|
||||
|
@ -1 +1 @@
|
||||
allow drmserver theme_data_file:file r_file_perms;
|
||||
allow drmserver themeservice_app_data_file:file r_file_perms;
|
||||
|
@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
|
||||
type auditd_log, file_type, data_file_type;
|
||||
|
||||
# Themes
|
||||
type theme_data_file, file_type, data_file_type;
|
||||
type themeservice_app_data_file, file_type, data_file_type;
|
||||
|
||||
# Performance settings
|
||||
type sysfs_devices_system_iosched, file_type, sysfs_type;
|
||||
|
@ -7,7 +7,7 @@
|
||||
/data/misc/audit(/.*)? u:object_r:auditd_log:s0
|
||||
|
||||
# Themes
|
||||
/data/system/theme(/.*)? u:object_r:theme_data_file:s0
|
||||
/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0
|
||||
|
||||
/system/bin/sysinit u:object_r:sysinit_exec:s0
|
||||
|
||||
|
@ -1,3 +1,8 @@
|
||||
# Allow querying of asec size on SD card
|
||||
allow installd sdcard_external:dir { search };
|
||||
allow installd sdcard_external:file { getattr };
|
||||
|
||||
# Required for installd to create theme service's /data/data directory
|
||||
allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
|
||||
allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
|
||||
|
@ -21,4 +21,11 @@
|
||||
<seinfo value="cmupdater" />
|
||||
</package>
|
||||
</signer>
|
||||
|
||||
<!-- ThemeManagerService -->
|
||||
<signer signature="@RELEASE" >
|
||||
<package name="org.cyanogenmod.themeservice" >
|
||||
<seinfo value="themeservice" />
|
||||
</package>
|
||||
</signer>
|
||||
</policy>
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow mediaserver theme_data_file:dir r_dir_perms;
|
||||
allow mediaserver theme_data_file:file r_file_perms;
|
||||
allow mediaserver themeservice_app_data_file:dir r_dir_perms;
|
||||
allow mediaserver themeservice_app_data_file:file r_file_perms;
|
||||
|
||||
# For camera
|
||||
allow mediaserver media_rw_data_file:file write;
|
||||
|
@ -5,8 +5,9 @@ allow dumpstate resourcecache_data_file:dir r_dir_perms;
|
||||
allow dumpstate resourcecache_data_file:file r_file_perms;
|
||||
allow dumpstate fuse:dir r_dir_perms;
|
||||
allow dumpstate fuse:file r_file_perms;
|
||||
allow dumpstate theme_data_file:dir r_dir_perms;
|
||||
allow dumpstate theme_data_file:file r_file_perms;
|
||||
allow dumpstate themeservice_app_data_file:dir r_dir_perms;
|
||||
allow dumpstate themeservice_app_data_file:file r_file_perms;
|
||||
allow dumpstate media_rw_data_file:dir search;
|
||||
allow dumpstate sdcardfs:file getattr;
|
||||
allow dumpstate sdcardfs:dir search;
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
|
||||
user=theme_man domain=system_app type=system_data_file
|
||||
user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
|
||||
user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
|
@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
|
||||
allow system_server dhcp_data_file:file r_file_perms;
|
||||
|
||||
# Themes
|
||||
allow system_server theme_data_file:dir create_dir_perms;
|
||||
allow system_server theme_data_file:file create_file_perms;
|
||||
allow system_server themeservice_app_data_file:dir create_dir_perms;
|
||||
allow system_server themeservice_app_data_file:file create_file_perms;
|
||||
allow system_server resourcecache_data_file:dir create_dir_perms;
|
||||
allow system_server resourcecache_data_file:file create_file_perms;
|
||||
|
19
sepolicy/themeservice_app.te
Normal file
19
sepolicy/themeservice_app.te
Normal file
@ -0,0 +1,19 @@
|
||||
# Add themeservice_app to appdomain
|
||||
type themeservice_app, domain;
|
||||
app_domain(themeservice_app)
|
||||
|
||||
# Theme manager service
|
||||
allow themeservice_app activity_service:service_manager find;
|
||||
allow themeservice_app cm_status_bar_service:service_manager find;
|
||||
allow themeservice_app cm_themes_service:dir search;
|
||||
allow themeservice_app connectivity_service:service_manager find;
|
||||
allow themeservice_app display_service:service_manager find;
|
||||
allow themeservice_app mount_service:service_manager find;
|
||||
allow themeservice_app notification_service:service_manager find;
|
||||
allow themeservice_app system_app_data_file:dir search;
|
||||
allow themeservice_app user_service:service_manager find;
|
||||
allow themeservice_app wallpaper_service:service_manager find;
|
||||
|
||||
# Allow full access to themeservice_app_data_file
|
||||
allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
|
||||
allow themeservice_app themeservice_app_data_file:file create_file_perms;
|
@ -1,5 +1,5 @@
|
||||
allow zygote theme_data_file:file r_file_perms;
|
||||
allow zygote theme_data_file:dir r_dir_perms;
|
||||
allow zygote themeservice_app_data_file:file r_file_perms;
|
||||
allow zygote themeservice_app_data_file:dir r_dir_perms;
|
||||
|
||||
# ps command may do this
|
||||
allow untrusted_app zygote:process getsched;
|
||||
|
Loading…
Reference in New Issue
Block a user