From 155d3188767d274daf291ba43f169961151e1e56 Mon Sep 17 00:00:00 2001
From: Shiwangi Shah <shiwangishah@google.com>
Date: Thu, 24 Mar 2022 12:52:32 +0000
Subject: [PATCH] Add ThermalService and file access to SdkSandbox

Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.

Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
---
 private/isolated_app.te | 4 ++--
 private/sdk_sandbox.te  | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0d9075623..828ffb1e8 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
 
 # Allow access to network sockets received over IPC. New socket creation is not
 # permitted.
@@ -72,7 +72,7 @@ can_profile_perf(isolated_app)
 #####
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb468d..72da6122a 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -21,6 +21,7 @@ allow sdk_sandbox audio_service:service_manager find;
 auditallow sdk_sandbox audio_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
 allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
 allow sdk_sandbox trust_service:service_manager find;
 allow sdk_sandbox uimode_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;