Merge "Prevent sandbox executing from sdk_sandbox_data_file" into tm-dev

commit: c5ae3ca682381d8c6b39ee1b4cbd31a515d0501a [log] [tgz]
author: Bram Bonné <brambonne@google.com> Wed May 04 08:01:03 2022 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Wed May 04 08:01:03 2022 +0000
tree: 633345402b9c78648f0d6cd6c57808e5ad8200ac
parent: 89b92167e2193c67d4cf900cedded7d2a6427766 [diff]
parent: fa56130d4bcb92268d0c8e5051dcbf43459f0fde [diff]
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 74ede2a..46e7be8 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te

@@ -110,7 +110,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
commit	c5ae3ca682381d8c6b39ee1b4cbd31a515d0501a	[log] [tgz]
author	Bram Bonné <brambonne@google.com>	Wed May 04 08:01:03 2022 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Wed May 04 08:01:03 2022 +0000
tree	633345402b9c78648f0d6cd6c57808e5ad8200ac
parent	89b92167e2193c67d4cf900cedded7d2a6427766 [diff]
parent	fa56130d4bcb92268d0c8e5051dcbf43459f0fde [diff]