Loosen system app data neverallows We don't want to prevent access from vendor platform apps to system app data. The issue with the referencing system_app explicitly in neverallows is that vendor platform apps which need sandboxes similar to system_app cannot be placed under system_app without modifying the policy for all platform apps. Test: mmm system/sepolicy Change-Id: Ic0052602c31be4d74b02eeea129e2d8bfbd9c8d3

commit: f2e0776502dbe9950676a12fbc6330208569e2f8 [log] [tgz]
author: Alex Klyubin <klyubin@google.com> Tue Mar 28 21:46:54 2017 -0700
committer: Alex Klyubin <klyubin@google.com> Wed Mar 29 12:49:25 2017 -0700
tree: 2066a1f2dfb71d6111153cb47d6dcaa871b5b129
parent: 4a478c47f464f0f49f8802b3f49d03744450ac15 [diff]
diff --git a/public/domain.te b/public/domain.te
index 3ed451a..847de67 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -656,10 +656,17 @@
 # respect system_app sandboxes
 neverallow {
   domain
-  -system_app # its own sandbox
+  -appdomain # finer-grained rules for appdomain are listed below
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+  isolated_app
+  untrusted_app_all # finer-grained rules for appdomain are listed below
+  ephemeral_app
+  priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
 
 # Services should respect app sandboxes
 neverallow {
commit	f2e0776502dbe9950676a12fbc6330208569e2f8	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Tue Mar 28 21:46:54 2017 -0700
committer	Alex Klyubin <klyubin@google.com>	Wed Mar 29 12:49:25 2017 -0700
tree	2066a1f2dfb71d6111153cb47d6dcaa871b5b129
parent	4a478c47f464f0f49f8802b3f49d03744450ac15 [diff]