[RESTRICT AUTOMERGE] Update prebuilt sepolicy
Updating sepolicy in aosp/1561695, accordingly, update prebuilt dir as
well
Bug: 154795779
Change-Id: I7c5885e709cf07137a393bde19e19ad5c1f92953
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..705483b 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -82,7 +82,7 @@
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
+ } vendor_overlay_file:file open;
')
# Core domains are not permitted to use kernel interfaces which are not
diff --git a/prebuilts/api/29.0/public/drmserver.te b/prebuilts/api/29.0/public/drmserver.te
index b7b641c..b7d4057 100644
--- a/prebuilts/api/29.0/public/drmserver.te
+++ b/prebuilts/api/29.0/public/drmserver.te
@@ -48,6 +48,9 @@
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te
index 4bedb0f..859ec9c 100644
--- a/prebuilts/api/29.0/public/mediaextractor.te
+++ b/prebuilts/api/29.0/public/mediaextractor.te
@@ -34,6 +34,9 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index 70d0a55..8672eac 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -131,6 +131,9 @@
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
hal_client_domain(mediaserver, hal_allocator)
###