domain: keep most domains out of app sandboxes

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063 Signed-off-by: William Roberts <william.c.roberts@intel.com>

domain: keep most domains out of app sandboxes
d7bd03c5 · William Roberts · Nick Kralevich · 1cf262da · d7bd03c5
Commit d7bd03c5 authored 9 years ago by William Roberts Committed by Nick Kralevich 8 years ago
--- a/domain.te
+++ b/domain.te
@@ -427,6 +427,13 @@ neverallow {
  -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };

+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell