[RESTRICT AUTOMERGE] Update prebuilt sepolicy

Updating sepolicy in aosp/1561695, accordingly, update prebuilt dir as
well


Bug: 154795779
Change-Id: I7c5885e709cf07137a393bde19e19ad5c1f92953
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..705483b 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -82,7 +82,7 @@
         -webview_zygote
         -zygote
         userdebug_or_eng(`-heapprofd')
-    } vendor_overlay_file:file r_file_perms;
+    } vendor_overlay_file:file open;
 ')
 
 # Core domains are not permitted to use kernel interfaces which are not
diff --git a/prebuilts/api/29.0/public/drmserver.te b/prebuilts/api/29.0/public/drmserver.te
index b7b641c..b7d4057 100644
--- a/prebuilts/api/29.0/public/drmserver.te
+++ b/prebuilts/api/29.0/public/drmserver.te
@@ -48,6 +48,9 @@
 allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;
 
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
 add_service(drmserver, drmserver_service)
 allow drmserver permission_service:service_manager find;
 
diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te
index 4bedb0f..859ec9c 100644
--- a/prebuilts/api/29.0/public/mediaextractor.te
+++ b/prebuilts/api/29.0/public/mediaextractor.te
@@ -34,6 +34,9 @@
 allow mediaextractor asec_apk_file:file { read getattr };
 allow mediaextractor ringtone_file:file { read getattr };
 
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
 # scan extractor library directory to dynamically load extractors
 allow mediaextractor system_file:dir { read open };
 
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index 70d0a55..8672eac 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -131,6 +131,9 @@
 # b/120491318 allow mediaserver to access void:fd
 allow mediaserver vold:fd use;
 
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
 hal_client_domain(mediaserver, hal_allocator)
 
 ###