domain: strengthen system_app sandbox neverallow

Prevent direct opens into the system_app sandbox. Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7 Signed-off-by: William Roberts <william.c.roberts@intel.com>

domain: strengthen system_app sandbox neverallow
1cf262da · William Roberts · Nick Kralevich · f4fefd92 · 1cf262da
Commit 1cf262da authored 9 years ago by William Roberts Committed by Nick Kralevich 8 years ago
--- a/domain.te
+++ b/domain.te
@@ -425,7 +425,7 @@ neverallow {
  -system_app # its own sandbox
  -system_server #populate com.android.providers.settings/databases/settings.db.
  -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink };
+} system_app_data_file:dir_file_class_set { create unlink open };
 #
 # Only these domains should transition to shell domain. This domain is