domain: keep others out of system app sandbox

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>

domain.te

@@ -419,6 +419,14 @@ neverallow {
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 
+# respect system_app sandboxes
+neverallow {
+  domain
+  -system_app # its own sandbox
+  -system_server #populate com.android.providers.settings/databases/settings.db.
+  -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell