domain: keep others out of system app sandbox Do not allow other domains to create or unlink files under the system app sandbox. Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2 Signed-off-by: William Roberts <william.c.roberts@intel.com>

commit: 5470ffeb70617481b75b540fb1ba55bcc0fdb937 [log] [tgz]
author: William Roberts <william.c.roberts@intel.com> Wed Feb 24 11:00:29 2016 -0800
committer: Nick Kralevich <nnk@google.com> Tue Apr 05 21:34:51 2016 +0000
tree: 5576f2c229894749f54e2529206959627ac21866
parent: 536b33349c483e3cdb54cc926faba678f405be82 [diff]
diff --git a/domain.te b/domain.te
index 549a0b9..46e0ad2 100644
--- a/domain.te
+++ b/domain.te

@@ -419,6 +419,14 @@
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 
+# respect system_app sandboxes
+neverallow {
+  domain
+  -system_app # its own sandbox
+  -system_server #populate com.android.providers.settings/databases/settings.db.
+  -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell
commit	5470ffeb70617481b75b540fb1ba55bcc0fdb937	[log] [tgz]
author	William Roberts <william.c.roberts@intel.com>	Wed Feb 24 11:00:29 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Tue Apr 05 21:34:51 2016 +0000
tree	5576f2c229894749f54e2529206959627ac21866
parent	536b33349c483e3cdb54cc926faba678f405be82 [diff]