tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

domain: keep most domains out of app sandboxes

Browse source 
Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This commit is contained in:
William Roberts 2016-03-01 11:26:56 -08:00 committed by Nick Kralevich
parent 1cf262daed
commit d7bd03c5bb
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
domain.te
View file

@ -427,6 +427,13 @@ neverallow {
-installd # creation of app sandbox -installd # creation of app sandbox
} system_app_data_file:dir_file_class_set { create unlink open }; } system_app_data_file:dir_file_class_set { create unlink open };
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
} app_data_file:dir_file_class_set { create unlink };
# #
# Only these domains should transition to shell domain. This domain is # Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell # permissible for the "shell user". If you need a process to exec a shell