From f2afca7cf05bcfe0547817069f33f8fed6e9e6c7 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 5 Jun 2018 17:55:26 -0700
Subject: [PATCH] Allow ephemeral_app to execute system_file.

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
---
 prebuilts/api/28.0/public/app.te | 2 +-
 public/app.te                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 01daaf909..439c1f80f 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
diff --git a/public/app.te b/public/app.te
index 01daaf909..439c1f80f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
-- 
GitLab