Merge "Add ThermalService and file access to SdkSandbox" am: ae1844e593 am: 2a59dd1f45 am: b587145b20

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2041705

Change-Id: I3a4942f0575fe2c63853c3ea6a1370afe5af9c70
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/isolated_app.te

@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
 
 # Allow access to network sockets received over IPC. New socket creation is not
 # permitted.
@@ -72,7 +72,7 @@ can_profile_perf(isolated_app)
 #####
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?

private/sdk_sandbox.te

@@ -21,6 +21,7 @@ allow sdk_sandbox audio_service:service_manager find;
 auditallow sdk_sandbox audio_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
 allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
 allow sdk_sandbox trust_service:service_manager find;
 allow sdk_sandbox uimode_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;