For some applications you might be able to restrict them enough for this to be true, but many apps will need fairly liberal policies.
Consider a text editor for example. The user expects to be able to edit files all over the system, so even if there is a final "deny all" rule, there will be many paths that the policy needs to allow. Each of these paths is a potential attack vector (assuming that they manage to create the hardlink or bind mount).
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds