From 5470ffeb70617481b75b540fb1ba55bcc0fdb937 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 24 Feb 2016 11:00:29 -0800
Subject: [PATCH] domain: keep others out of system app sandbox

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/domain.te b/domain.te
index 549a0b963..46e0ad2e4 100644
--- a/domain.te
+++ b/domain.te
@@ -419,6 +419,14 @@ neverallow {
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 
+# respect system_app sandboxes
+neverallow {
+  domain
+  -system_app # its own sandbox
+  -system_server #populate com.android.providers.settings/databases/settings.db.
+  -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell
-- 
GitLab