domain: keep most domains out of app sandboxes

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 11:26:56 -08:00 · 2016-03-01 11:26:56 -08:00 · d7bd03c5bb
commit d7bd03c5bb
parent 1cf262daed
1 changed files with 7 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -427,6 +427,13 @@ neverallow {
  -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };

+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell