AOSP-CAF · JagravNaik · Jan 4, 2017 · Jul 31, 2017 · Dec 27, 2017
diff --git a/private/app.te b/private/app.te
@@ -540,3 +540,7 @@ neverallow {
   -bluetooth
   -system_app
 } bluetooth_prop:file create_file_perms;
+
+# Themed resources (i.e. composed icons)
+allow appdomain theme_data_file:dir r_dir_perms;
+allow appdomain theme_data_file:file r_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
@@ -24,7 +24,10 @@
     thermalserviced_exec
     thermalserviced_tmpfs
     timezone_service
-    tombstoned_java_trace_socket))
+    tombstoned_java_trace_socket
+    substratum_service
+    theme_data_file
+    theme_prop))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.

diff --git a/private/file_contexts b/private/file_contexts
@@ -401,6 +401,9 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Themes data
+/data/system/theme(/.*)?    u:object_r:theme_data_file:s0
+
 #############################
 # Expanded data files
 #

diff --git a/private/property_contexts b/private/property_contexts
@@ -24,6 +24,7 @@ ro.hw.                  u:object_r:system_prop:s0
 sys.                    u:object_r:system_prop:s0
 sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
+sys.refresh_theme       u:object_r:theme_prop:s0
 sys.usb.ffs.            u:object_r:ffs_prop:s0
 service.                u:object_r:system_prop:s0
 dhcp.                   u:object_r:dhcp_prop:s0

diff --git a/private/service_contexts b/private/service_contexts
@@ -143,6 +143,7 @@ soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 storaged                                  u:object_r:storaged_service:s0
 storagestats                              u:object_r:storagestats_service:s0
+substratum                                u:object_r:substratum_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0
 telecom                                   u:object_r:telecom_service:s0

diff --git a/private/system_app.te b/private/system_app.te
@@ -84,6 +84,13 @@ allow system_app keystore:keystore_key {
 # /sys access
 r_dir_file(system_app, sysfs_type)
 
+# /data/system access
+allow system_app system_data_file:file r_file_perms;
+
+# Allow access theme data files
+allow system_app theme_data_file:dir create_dir_perms;
+allow system_app theme_data_file:file create_file_perms;
+
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 

diff --git a/private/system_server.te b/private/system_server.te
@@ -483,6 +483,10 @@ set_prop(system_server, cppreopt_prop)
 # Collect metrics on boot time created by init
 get_prop(system_server, boottime_prop)
 
+# theme property
+get_prop(system_server, theme_prop)
+set_prop(system_server, theme_prop)
+
 # Read device's serial number from system properties
 get_prop(system_server, serialno_prop)
 
@@ -571,6 +575,7 @@ allow system_server mediadrmserver_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
+allow system_server substratum_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 
@@ -653,6 +658,10 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
+# Allow access theme data files
+allow system_server theme_data_file:dir { create_dir_perms relabelto rw_dir_perms };
+allow system_server theme_data_file:file { create_file_perms relabelto rw_file_perms };
+
 # Postinstall
 #
 # For OTA dexopt, allow calls coming from postinstall.
@@ -697,6 +706,9 @@ with_asan(`
   allow system_server zygote_exec:file rx_file_perms;
 ')
 
+# allow system_server to look into theme resources
+allow system_server theme_data_file:dir search;
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/zygote.te b/private/zygote.te
@@ -112,6 +112,10 @@ allow zygote tmpfs:dir r_dir_perms;
 # Let the zygote access overlays so it can initialize the AssetManager.
 get_prop(zygote, overlay_prop)
 
+# Themes
+allow zygote theme_data_file:file r_file_perms;
+allow zygote theme_data_file:dir r_dir_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/public/bootanim.te b/public/bootanim.te
@@ -39,3 +39,8 @@ r_dir_file(bootanim, cgroup)
 
 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
+
+# Themed resources (bootanimation)
+allow bootanim theme_data_file:dir search;
+allow bootanim theme_data_file:file r_file_perms;
+allow bootanim system_data_file:file open;
diff --git a/public/drmserver.te b/public/drmserver.te
@@ -56,3 +56,7 @@ selinux_check_access(drmserver)
 
 r_dir_file(drmserver, cgroup)
 r_dir_file(drmserver, system_file)
+
+# Themed resources (i.e. composed icons)
+allow drmserver theme_data_file:dir r_dir_perms;
+allow drmserver theme_data_file:file r_file_perms;
diff --git a/public/file.te b/public/file.te
@@ -345,3 +345,6 @@ with_asan(`type asanwrapper_exec, exec_type, file_type;')
 # Should be:
 #   type apk_data_file, file_type, data_file_type;
 neverallow fs_type file_type:filesystem associate;
+
+# Themes
+type theme_data_file, file_type, data_file_type;
diff --git a/public/mediaserver.te b/public/mediaserver.te
@@ -148,3 +148,7 @@ neverallow mediaserver { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
 neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# Themed resources (i.e. composed icons)
+allow mediaserver theme_data_file:dir r_dir_perms;
+allow mediaserver theme_data_file:file r_file_perms;
diff --git a/public/property.te b/public/property.te
@@ -44,6 +44,7 @@ type serialno_prop, property_type;
 type shell_prop, property_type, core_property_type;
 type system_prop, property_type, core_property_type;
 type system_radio_prop, property_type, core_property_type;
+type theme_prop, property_type;
 type vold_prop, property_type, core_property_type;
 type wifi_log_prop, property_type, log_property_type;
 type wifi_prop, property_type;

diff --git a/public/service.te b/public/service.te
@@ -125,6 +125,7 @@ type settings_service, app_api_service, ephemeral_app_api_service, system_server
 type shortcut_service, app_api_service, system_server_service, service_manager_type;
 type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type substratum_service, app_api_service, system_server_service, service_manager_type;
 type task_service, system_server_service, service_manager_type;
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;