Add ThermalService and file access to SdkSandbox

Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.

Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f

private/isolated_app.te

@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
 
 # Allow access to network sockets received over IPC. New socket creation is not
 # permitted.
@@ -72,7 +72,7 @@ can_profile_perf(isolated_app)
 #####
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?

private/sdk_sandbox.te

@@ -21,6 +21,7 @@ allow sdk_sandbox audio_service:service_manager find;
 auditallow sdk_sandbox audio_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
 allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
 allow sdk_sandbox trust_service:service_manager find;
 allow sdk_sandbox uimode_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;