domain: keep most domains out of app sandboxes Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063 Signed-off-by: William Roberts <william.c.roberts@intel.com>

commit: d7bd03c5bba06cce32dcd16bbd21b037927e347b [log] [tgz]
author: William Roberts <william.c.roberts@intel.com> Tue Mar 01 11:26:56 2016 -0800
committer: Nick Kralevich <nnk@google.com> Wed Apr 06 03:56:51 2016 +0000
tree: 1e85c3f1b4deae4f3e3f8e1e1669dfde6d288c27
parent: 1cf262daed9f5cb6fd08b1942208b612492c7bba [diff]
diff --git a/domain.te b/domain.te
index 0af215d..de00ac1 100644
--- a/domain.te
+++ b/domain.te

@@ -427,6 +427,13 @@
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
 
+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell
commit	d7bd03c5bba06cce32dcd16bbd21b037927e347b	[log] [tgz]
author	William Roberts <william.c.roberts@intel.com>	Tue Mar 01 11:26:56 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Apr 06 03:56:51 2016 +0000
tree	1e85c3f1b4deae4f3e3f8e1e1669dfde6d288c27
parent	1cf262daed9f5cb6fd08b1942208b612492c7bba [diff]