From 1cf262daed9f5cb6fd08b1942208b612492c7bba Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 1 Mar 2016 11:02:09 -0800
Subject: [PATCH] domain: strengthen system_app sandbox neverallow

Prevent direct opens into the system_app sandbox.

Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 46e0ad2e4..0af215d1b 100644
--- a/domain.te
+++ b/domain.te
@@ -425,7 +425,7 @@ neverallow {
   -system_app # its own sandbox
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
-} system_app_data_file:dir_file_class_set { create unlink };
+} system_app_data_file:dir_file_class_set { create unlink open };
 
 #
 # Only these domains should transition to shell domain. This domain is
-- 
GitLab