Allow ephemeral_app to execute system_file.

(cherrypicked from commit f2afca7c) Bug: 109653662 Test: Build policy. Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5 Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5

Allow ephemeral_app to execute system_file.
(cherrypicked from commit f2afca7c) Bug: 109653662 Test: Build policy. Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5 Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
8b2c8580 · Joel Galenson · Nick Kralevich · 601b4422 · 8b2c8580
Commit 8b2c8580 authored 6 years ago by Joel Galenson Committed by Nick Kralevich 6 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')

 # Renderscript needs the ability to read directories on /system