domain: strengthen system_app sandbox neverallow Prevent direct opens into the system_app sandbox. Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7 Signed-off-by: William Roberts <william.c.roberts@intel.com>

commit: 1cf262daed9f5cb6fd08b1942208b612492c7bba [log] [tgz]
author: William Roberts <william.c.roberts@intel.com> Tue Mar 01 11:02:09 2016 -0800
committer: Nick Kralevich <nnk@google.com> Wed Apr 06 03:07:43 2016 +0000
tree: 8181c13d9779facc9f37e032669776627e7d92a6
parent: f4fefd92d95d5e6d2343f9ce27af6184a6b7702c [diff]
diff --git a/domain.te b/domain.te
index 46e0ad2..0af215d 100644
--- a/domain.te
+++ b/domain.te

@@ -425,7 +425,7 @@
   -system_app # its own sandbox
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink };
+} system_app_data_file:dir_file_class_set { create unlink open };
 
 #
 # Only these domains should transition to shell domain. This domain is
commit	1cf262daed9f5cb6fd08b1942208b612492c7bba	[log] [tgz]
author	William Roberts <william.c.roberts@intel.com>	Tue Mar 01 11:02:09 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Apr 06 03:07:43 2016 +0000
tree	8181c13d9779facc9f37e032669776627e7d92a6
parent	f4fefd92d95d5e6d2343f9ce27af6184a6b7702c [diff]