From 8b2c85805308dca417e3ec8424955989aeb867f2 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Tue, 5 Jun 2018 17:55:26 -0700
Subject: [PATCH] Allow ephemeral_app to execute system_file.

(cherrypicked from commit f2afca7cf05bcfe0547817069f33f8fed6e9e6c7)

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
---
 public/app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/app.te b/public/app.te
index 64bb839c1..bc4ad611e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system