sepolicy: Put theme service in its own context

Allow the theme manager and its data to be sandboxed in
its own context

Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284

sepolicy/app.te

@@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
 allow appdomain sdcard_posix:file rw_file_perms;
 
 # Themed resources (i.e. composed icons)
-allow appdomain theme_data_file:dir r_dir_perms;
-allow appdomain theme_data_file:file r_file_perms;
+allow appdomain themeservice_app_data_file:dir r_dir_perms;
+allow appdomain themeservice_app_data_file:file r_file_perms;

sepolicy/bootanim.te

@@ -1,3 +1,3 @@
 # Themed resources (bootanimation)
-allow bootanim theme_data_file:dir search;
-allow bootanim theme_data_file:file r_file_perms;
+allow bootanim themeservice_app_data_file:dir search;
+allow bootanim themeservice_app_data_file:file r_file_perms;

sepolicy/drmserver.te

@@ -1 +1 @@
-allow drmserver theme_data_file:file r_file_perms;
+allow drmserver themeservice_app_data_file:file r_file_perms;

sepolicy/file.te

@@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
 type auditd_log, file_type, data_file_type;
 
 # Themes
-type theme_data_file, file_type, data_file_type;
+type themeservice_app_data_file, file_type, data_file_type;
 
 # Performance settings
 type sysfs_devices_system_iosched, file_type, sysfs_type;

sepolicy/file_contexts

@@ -7,7 +7,7 @@
 /data/misc/audit(/.*)?    u:object_r:auditd_log:s0
 
 # Themes
-/data/system/theme(/.*)?  u:object_r:theme_data_file:s0
+/data/system/theme(/.*)?  u:object_r:themeservice_app_data_file:s0
 
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 

sepolicy/installd.te

@@ -1,3 +1,8 @@
 # Allow querying of asec size on SD card
 allow installd sdcard_external:dir { search };
 allow installd sdcard_external:file { getattr };
+
+# Required for installd to create theme service's /data/data directory
+allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };

sepolicy/mac_permissions.xml

@@ -21,4 +21,11 @@
       <seinfo value="cmupdater" />
     </package>
   </signer>
+
+  <!-- ThemeManagerService -->
+  <signer signature="@RELEASE" >
+    <package name="org.cyanogenmod.themeservice" >
+      <seinfo value="themeservice" />
+    </package>
+  </signer>
 </policy>

sepolicy/mediaserver.te

@@ -1,6 +1,6 @@
 # Themed resources (i.e. composed icons)
-allow mediaserver theme_data_file:dir r_dir_perms;
-allow mediaserver theme_data_file:file r_file_perms;
+allow mediaserver themeservice_app_data_file:dir r_dir_perms;
+allow mediaserver themeservice_app_data_file:file r_file_perms;
 
 # For camera
 allow mediaserver media_rw_data_file:file write;

sepolicy/qcom/dumpstate.te

@@ -5,8 +5,9 @@ allow dumpstate resourcecache_data_file:dir r_dir_perms;
 allow dumpstate resourcecache_data_file:file r_file_perms;
 allow dumpstate fuse:dir r_dir_perms;
 allow dumpstate fuse:file r_file_perms;
-allow dumpstate theme_data_file:dir r_dir_perms;
-allow dumpstate theme_data_file:file r_file_perms;
+allow dumpstate themeservice_app_data_file:dir r_dir_perms;
+allow dumpstate themeservice_app_data_file:file r_file_perms;
 allow dumpstate media_rw_data_file:dir search;
 allow dumpstate sdcardfs:file getattr;
 allow dumpstate sdcardfs:dir search;
+

sepolicy/seapp_contexts

@@ -1,3 +1,4 @@
 user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
 user=theme_man domain=system_app type=system_data_file
 user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
+user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file

sepolicy/system.te

@@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
 allow system_server dhcp_data_file:file r_file_perms;
 
 # Themes
-allow system_server theme_data_file:dir create_dir_perms;
-allow system_server theme_data_file:file create_file_perms;
+allow system_server themeservice_app_data_file:dir create_dir_perms;
+allow system_server themeservice_app_data_file:file create_file_perms;
 allow system_server resourcecache_data_file:dir create_dir_perms;
 allow system_server resourcecache_data_file:file create_file_perms;

sepolicy/themeservice_app.te

@@ -0,0 +1,19 @@
+# Add themeservice_app to appdomain
+type themeservice_app, domain;
+app_domain(themeservice_app)
+
+# Theme manager service
+allow themeservice_app activity_service:service_manager find;
+allow themeservice_app cm_status_bar_service:service_manager find;
+allow themeservice_app cm_themes_service:dir search;
+allow themeservice_app connectivity_service:service_manager find;
+allow themeservice_app display_service:service_manager find;
+allow themeservice_app mount_service:service_manager find;
+allow themeservice_app notification_service:service_manager find;
+allow themeservice_app system_app_data_file:dir search;
+allow themeservice_app user_service:service_manager find;
+allow themeservice_app wallpaper_service:service_manager find;
+
+# Allow full access to themeservice_app_data_file
+allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
+allow themeservice_app themeservice_app_data_file:file create_file_perms;

sepolicy/zygote.te

@@ -1,5 +1,5 @@
-allow zygote theme_data_file:file r_file_perms;
-allow zygote theme_data_file:dir r_dir_perms;
+allow zygote themeservice_app_data_file:file r_file_perms;
+allow zygote themeservice_app_data_file:dir r_dir_perms;
 
 # ps command may do this
 allow untrusted_app zygote:process getsched;