commit 398f72e3fd481689a0c3f216ebcaf4b4b435076c
author TreeHugger Robot <treehugger-gerrit@google.com> Wed Jun 06 03:31:50 2018 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Wed Jun 06 03:31:50 2018 +0000
tree 4034702adeab61a96628129b0b5e01569b5ebfb4
parent c75bef086fb42f857c0a9b213ccd7c989da74d92
parent f2afca7cf05bcfe0547817069f33f8fed6e9e6c7

Merge "Allow ephemeral_app to execute system_file." into pi-dev

prebuilts/api/28.0/public/app.te

diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 01daaf9..439c1f8 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -87,7 +87,7 @@
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system

public/app.te

diff --git a/public/app.te b/public/app.te
index 01daaf9..439c1f8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system