Loosen system app data neverallows

We don't want to prevent access from vendor platform apps to system app data. The issue with the referencing system_app explicitly in neverallows is that vendor platform apps which need sandboxes similar to system_app cannot be placed under system_app without modifying the policy for all platform apps. Test: mmm system/sepolicy Change-Id: Ic0052602c31be4d74b02eeea129e2d8bfbd9c8d3

Loosen system app data neverallows
f2e07765 · Alex Klyubin · 4a478c47 · f2e07765
Commit f2e07765 authored 8 years ago by Alex Klyubin
--- a/public/domain.te
+++ b/public/domain.te
@@ -656,10 +656,17 @@ neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 # respect system_app sandboxes
 neverallow {
  domain
-  -system_app # its own sandbox
+  -appdomain # finer-grained rules for appdomain are listed below
  -system_server #populate com.android.providers.settings/databases/settings.db.
  -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+  isolated_app
+  untrusted_app_all # finer-grained rules for appdomain are listed below
+  ephemeral_app
+  priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
 # Services should respect app sandboxes
 neverallow {