ephemeral_app: disallow access to qtaguid files

Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid

Instant apps should also be excluded from access.

Fixes: 92796393
Test: make -j cts_instant
    cts-instant-tradefed run commandAndExit cts-instant-dev \
    -m CtsPermissionTestCases \
    --test android.permission.cts.FileSystemPermissionTest

Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457

prebuilts/api/28.0/public/app.te

@@ -178,7 +178,6 @@ userdebug_or_eng(`
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 r_dir_file({
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -201,7 +199,6 @@ r_dir_file({
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app

public/app.te

@@ -178,7 +178,6 @@ userdebug_or_eng(`
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 r_dir_file({
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -201,7 +199,6 @@ r_dir_file({
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app