From 79eda9ebb85e4ff47585d628c520664d9883ddd8 Mon Sep 17 00:00:00 2001 From: d34d Date: Wed, 20 Jul 2016 11:02:12 -0700 Subject: [PATCH] sepolicy: Put theme service in its own context Allow the theme manager and its data to be sandboxed in its own context Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284 --- sepolicy/app.te | 4 ++-- sepolicy/bootanim.te | 4 ++-- sepolicy/drmserver.te | 2 +- sepolicy/file.te | 2 +- sepolicy/file_contexts | 2 +- sepolicy/installd.te | 5 +++++ sepolicy/mac_permissions.xml | 7 +++++++ sepolicy/mediaserver.te | 4 ++-- sepolicy/qcom/dumpstate.te | 5 +++-- sepolicy/seapp_contexts | 1 + sepolicy/system.te | 4 ++-- sepolicy/themeservice_app.te | 19 +++++++++++++++++++ sepolicy/zygote.te | 4 ++-- 13 files changed, 48 insertions(+), 15 deletions(-) create mode 100644 sepolicy/themeservice_app.te diff --git a/sepolicy/app.te b/sepolicy/app.te index e590efec..6405e20b 100644 --- a/sepolicy/app.te +++ b/sepolicy/app.te @@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms; allow appdomain sdcard_posix:file rw_file_perms; # Themed resources (i.e. composed icons) -allow appdomain theme_data_file:dir r_dir_perms; -allow appdomain theme_data_file:file r_file_perms; +allow appdomain themeservice_app_data_file:dir r_dir_perms; +allow appdomain themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te index 164231b0..29c20d5f 100644 --- a/sepolicy/bootanim.te +++ b/sepolicy/bootanim.te @@ -1,3 +1,3 @@ # Themed resources (bootanimation) -allow bootanim theme_data_file:dir search; -allow bootanim theme_data_file:file r_file_perms; +allow bootanim themeservice_app_data_file:dir search; +allow bootanim themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te index 63f654fd..508791f4 100644 --- a/sepolicy/drmserver.te +++ b/sepolicy/drmserver.te @@ -1 +1 @@ -allow drmserver theme_data_file:file r_file_perms; +allow drmserver themeservice_app_data_file:file r_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te index 1a003394..05e3c5d2 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate; type auditd_log, file_type, data_file_type; # Themes -type theme_data_file, file_type, data_file_type; +type themeservice_app_data_file, file_type, data_file_type; # Performance settings type sysfs_devices_system_iosched, file_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 706c84a9..bcc9217c 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -7,7 +7,7 @@ /data/misc/audit(/.*)? u:object_r:auditd_log:s0 # Themes -/data/system/theme(/.*)? u:object_r:theme_data_file:s0 +/data/system/theme(/.*)? u:object_r:themeservice_app_data_file:s0 /system/bin/sysinit u:object_r:sysinit_exec:s0 diff --git a/sepolicy/installd.te b/sepolicy/installd.te index 65f471a4..c2405990 100644 --- a/sepolicy/installd.te +++ b/sepolicy/installd.te @@ -1,3 +1,8 @@ # Allow querying of asec size on SD card allow installd sdcard_external:dir { search }; allow installd sdcard_external:file { getattr }; + +# Required for installd to create theme service's /data/data directory +allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto }; +allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto }; +allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml index 184e3568..f70b7225 100644 --- a/sepolicy/mac_permissions.xml +++ b/sepolicy/mac_permissions.xml @@ -21,4 +21,11 @@ + + + + + + + diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 40746303..c380ce90 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,6 +1,6 @@ # Themed resources (i.e. composed icons) -allow mediaserver theme_data_file:dir r_dir_perms; -allow mediaserver theme_data_file:file r_file_perms; +allow mediaserver themeservice_app_data_file:dir r_dir_perms; +allow mediaserver themeservice_app_data_file:file r_file_perms; # For camera allow mediaserver media_rw_data_file:file write; diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te index 2cf70a47..d2844a6b 100644 --- a/sepolicy/qcom/dumpstate.te +++ b/sepolicy/qcom/dumpstate.te @@ -5,8 +5,9 @@ allow dumpstate resourcecache_data_file:dir r_dir_perms; allow dumpstate resourcecache_data_file:file r_file_perms; allow dumpstate fuse:dir r_dir_perms; allow dumpstate fuse:file r_file_perms; -allow dumpstate theme_data_file:dir r_dir_perms; -allow dumpstate theme_data_file:file r_file_perms; +allow dumpstate themeservice_app_data_file:dir r_dir_perms; +allow dumpstate themeservice_app_data_file:file r_file_perms; allow dumpstate media_rw_data_file:dir search; allow dumpstate sdcardfs:file getattr; allow dumpstate sdcardfs:dir search; + diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts index 06c96d4b..11c8f00f 100644 --- a/sepolicy/seapp_contexts +++ b/sepolicy/seapp_contexts @@ -1,3 +1,4 @@ user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file user=theme_man domain=system_app type=system_data_file user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file +user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file \ No newline at end of file diff --git a/sepolicy/system.te b/sepolicy/system.te index 7b202eb0..a9831b68 100644 --- a/sepolicy/system.te +++ b/sepolicy/system.te @@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms; allow system_server dhcp_data_file:file r_file_perms; # Themes -allow system_server theme_data_file:dir create_dir_perms; -allow system_server theme_data_file:file create_file_perms; +allow system_server themeservice_app_data_file:dir create_dir_perms; +allow system_server themeservice_app_data_file:file create_file_perms; allow system_server resourcecache_data_file:dir create_dir_perms; allow system_server resourcecache_data_file:file create_file_perms; diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te new file mode 100644 index 00000000..aaa84ab4 --- /dev/null +++ b/sepolicy/themeservice_app.te @@ -0,0 +1,19 @@ +# Add themeservice_app to appdomain +type themeservice_app, domain; +app_domain(themeservice_app) + +# Theme manager service +allow themeservice_app activity_service:service_manager find; +allow themeservice_app cm_status_bar_service:service_manager find; +allow themeservice_app cm_themes_service:dir search; +allow themeservice_app connectivity_service:service_manager find; +allow themeservice_app display_service:service_manager find; +allow themeservice_app mount_service:service_manager find; +allow themeservice_app notification_service:service_manager find; +allow themeservice_app system_app_data_file:dir search; +allow themeservice_app user_service:service_manager find; +allow themeservice_app wallpaper_service:service_manager find; + +# Allow full access to themeservice_app_data_file +allow themeservice_app themeservice_app_data_file:dir create_dir_perms; +allow themeservice_app themeservice_app_data_file:file create_file_perms; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te index a93d90ea..951f4143 100644 --- a/sepolicy/zygote.te +++ b/sepolicy/zygote.te @@ -1,5 +1,5 @@ -allow zygote theme_data_file:file r_file_perms; -allow zygote theme_data_file:dir r_dir_perms; +allow zygote themeservice_app_data_file:file r_file_perms; +allow zygote themeservice_app_data_file:dir r_dir_perms; # ps command may do this allow untrusted_app zygote:process getsched;