Merge "Restrict system_server_startup domain"

commit: 825936c4731a70c89848c79bfbb24e436be5fb11 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Nov 30 10:29:10 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Nov 30 10:29:10 2021 +0000
tree: c69c38ed12983bf5ca3b3bb5c4dcc68c3d758f50
parent: 43b6a317bc5e25475548343d1a839ca1a6a483f2 [diff]
parent: 665c295efc8546f6f684b736d84c06958c50f4c9 [diff]
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c7daf6b..d47134b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -99,9 +99,11 @@
 # inputs are matched on a key value rule line.
 #
 
-# only the system server can be in system_server domain
+# only the system server can be assigned the system_server domains
 neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer=false domain=system_server_startup
 neverallow isSystemServer="" domain=system_server
+neverallow isSystemServer="" domain=system_server_startup
 
 # system domains should never be assigned outside of system uid
 neverallow user=((?!system).)* domain=system_app
commit	825936c4731a70c89848c79bfbb24e436be5fb11	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Nov 30 10:29:10 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Nov 30 10:29:10 2021 +0000
tree	c69c38ed12983bf5ca3b3bb5c4dcc68c3d758f50
parent	43b6a317bc5e25475548343d1a839ca1a6a483f2 [diff]
parent	665c295efc8546f6f684b736d84c06958c50f4c9 [diff]