From d7bd03c5bba06cce32dcd16bbd21b037927e347b Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 1 Mar 2016 11:26:56 -0800
Subject: [PATCH] domain: keep most domains out of app sandboxes

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/domain.te b/domain.te
index 0af215d1b..de00ac1df 100644
--- a/domain.te
+++ b/domain.te
@@ -427,6 +427,13 @@ neverallow {
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
 
+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell
-- 
GitLab