sepolicy: Put theme service in its own context

Allow the theme manager and its data to be sandboxed in
its own context

Change-Id: I7898663d1c196bfe04fa4c539d20191a43fde284

13 files changed, 48 insertions, 15 deletions

diff --git a/sepolicy/app.te b/sepolicy/app.te
index e590efe..6405e20 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -4,5 +4,5 @@ allow appdomain sdcard_posix:dir r_dir_perms;
 allow appdomain sdcard_posix:file rw_file_perms;
 
 # Themed resources (i.e. composed icons)
-allow appdomain theme_data_file:dir r_dir_perms;
-allow appdomain theme_data_file:file r_file_perms;
+allow appdomain themeservice_app_data_file:dir r_dir_perms;
+allow appdomain themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
index 164231b..29c20d5 100644
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -1,3 +1,3 @@
 # Themed resources (bootanimation)
-allow bootanim theme_data_file:dir search;
-allow bootanim theme_data_file:file r_file_perms;
+allow bootanim themeservice_app_data_file:dir search;
+allow bootanim themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te
index 63f654f..508791f 100644
--- a/sepolicy/drmserver.te
+++ b/sepolicy/drmserver.te
@@ -1 +1 @@
-allow drmserver theme_data_file:file r_file_perms;
+allow drmserver themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 1a00339..05e3c5d 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -4,7 +4,7 @@ allow file_type rootfs:filesystem associate;
 type auditd_log, file_type, data_file_type;
 
 # Themes
-type theme_data_file, file_type, data_file_type;
+type themeservice_app_data_file, file_type, data_file_type;
 
 # Performance settings
 type sysfs_devices_system_iosched, file_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 706c84a..bcc9217 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -7,7 +7,7 @@
 /data/misc/audit(/.*)?    u:object_r:auditd_log:s0
 
 # Themes
-/data/system/theme(/.*)?  u:object_r:theme_data_file:s0
+/data/system/theme(/.*)?  u:object_r:themeservice_app_data_file:s0
 
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index 65f471a..c240599 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
@@ -1,3 +1,8 @@
 # Allow querying of asec size on SD card
 allow installd sdcard_external:dir { search };
 allow installd sdcard_external:file { getattr };
+
+# Required for installd to create theme service's /data/data directory
+allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:lnk_file { create_file_perms relabelfrom relabelto };
+allow installd themeservice_app_data_file:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
index 184e356..f70b722 100644
--- a/sepolicy/mac_permissions.xml
+++ b/sepolicy/mac_permissions.xml
@@ -21,4 +21,11 @@
       <seinfo value="cmupdater" />
     </package>
   </signer>
+
+  <!-- ThemeManagerService -->
+  <signer signature="@RELEASE" >
+    <package name="org.cyanogenmod.themeservice" >
+      <seinfo value="themeservice" />
+    </package>
+  </signer>
 </policy>
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 4074630..c380ce9 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,6 +1,6 @@
 # Themed resources (i.e. composed icons)
-allow mediaserver theme_data_file:dir r_dir_perms;
-allow mediaserver theme_data_file:file r_file_perms;
+allow mediaserver themeservice_app_data_file:dir r_dir_perms;
+allow mediaserver themeservice_app_data_file:file r_file_perms;
 
 # For camera
 allow mediaserver media_rw_data_file:file write;
diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te
index 2cf70a4..d2844a6 100644
--- a/sepolicy/qcom/dumpstate.te
+++ b/sepolicy/qcom/dumpstate.te
@@ -5,8 +5,9 @@ allow dumpstate resourcecache_data_file:dir r_dir_perms;
 allow dumpstate resourcecache_data_file:file r_file_perms;
 allow dumpstate fuse:dir r_dir_perms;
 allow dumpstate fuse:file r_file_perms;
-allow dumpstate theme_data_file:dir r_dir_perms;
-allow dumpstate theme_data_file:file r_file_perms;
+allow dumpstate themeservice_app_data_file:dir r_dir_perms;
+allow dumpstate themeservice_app_data_file:file r_file_perms;
 allow dumpstate media_rw_data_file:dir search;
 allow dumpstate sdcardfs:file getattr;
 allow dumpstate sdcardfs:dir search;
+
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index 06c96d4..11c8f00 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -1,3 +1,4 @@
 user=_app seinfo=platform name=com.cyanogenmod.filemanager domain=untrusted_app type=app_data_file
 user=theme_man domain=system_app type=system_data_file
 user=_app seinfo=cmupdater name=com.cyanogenmod.updater domain=system_app type=system_app_data_file
+user=_app seinfo=themeservice name=org.cyanogenmod.themeservice domain=themeservice_app type=themeservice_app_data_file
\ No newline at end of file
diff --git a/sepolicy/system.te b/sepolicy/system.te
index 7b202eb..a9831b6 100644
--- a/sepolicy/system.te
+++ b/sepolicy/system.te
@@ -7,7 +7,7 @@ allow system_server dhcp_data_file:dir r_dir_perms;
 allow system_server dhcp_data_file:file r_file_perms;
 
 # Themes
-allow system_server theme_data_file:dir create_dir_perms;
-allow system_server theme_data_file:file create_file_perms;
+allow system_server themeservice_app_data_file:dir create_dir_perms;
+allow system_server themeservice_app_data_file:file create_file_perms;
 allow system_server resourcecache_data_file:dir create_dir_perms;
 allow system_server resourcecache_data_file:file create_file_perms;
diff --git a/sepolicy/themeservice_app.te b/sepolicy/themeservice_app.te
new file mode 100644
index 0000000..aaa84ab
--- /dev/null
+++ b/sepolicy/themeservice_app.te
@@ -0,0 +1,19 @@
+# Add themeservice_app to appdomain
+type themeservice_app, domain;
+app_domain(themeservice_app)
+
+# Theme manager service
+allow themeservice_app activity_service:service_manager find;
+allow themeservice_app cm_status_bar_service:service_manager find;
+allow themeservice_app cm_themes_service:dir search;
+allow themeservice_app connectivity_service:service_manager find;
+allow themeservice_app display_service:service_manager find;
+allow themeservice_app mount_service:service_manager find;
+allow themeservice_app notification_service:service_manager find;
+allow themeservice_app system_app_data_file:dir search;
+allow themeservice_app user_service:service_manager find;
+allow themeservice_app wallpaper_service:service_manager find;
+
+# Allow full access to themeservice_app_data_file
+allow themeservice_app themeservice_app_data_file:dir create_dir_perms;
+allow themeservice_app themeservice_app_data_file:file create_file_perms;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index a93d90e..951f414 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1,5 +1,5 @@
-allow zygote theme_data_file:file r_file_perms;
-allow zygote theme_data_file:dir r_dir_perms;
+allow zygote themeservice_app_data_file:file r_file_perms;
+allow zygote themeservice_app_data_file:dir r_dir_perms;
 
 # ps command may do this
 allow untrusted_app zygote:process getsched;