Make system_aconfig_storage_file domain-readable

Read access to this file is needed by any process that reads flags.
For now, exclude access to vendors.

Bug: 328444881
Test: m
Change-Id: I1899d2a0c61a6286fc285a532244730ad1e4a0fc

private/aconfigd.te

@@ -34,10 +34,6 @@ userdebug_or_eng(`
 # allow aconfigd to log to the kernel.
 allow aconfigd kmsg_device:chr_file w_file_perms;
 
-# allow aconfigd to read system/system_ext/product partition storage files
-allow aconfigd system_aconfig_storage_file:file r_file_perms;
-allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
-
 # allow aconfigd to read vendor partition storage files
 allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
 allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;

private/domain.te

@@ -208,12 +208,12 @@ allow {
   -hal_omx_server
 } {shell_exec toolbox_exec}:file rx_file_perms;
 
-# Allow everyone to read from flag value boot snapshot files and general pb files
+# Allow all (except vendor) to read from flag value boot snapshot files and general pb files
 # The boot copy of the flag value files serves flag read traffic for all processes, thus
 # needs to be readable by everybody. Also, the metadata directory will contain pb file
 # that records where flag storage files are, so also needs to be readable by everbody.
-allow domain aconfig_storage_metadata_file:file r_file_perms;
-allow domain aconfig_storage_metadata_file:dir r_dir_perms;
+r_dir_file({ coredomain appdomain }, aconfig_storage_metadata_file);
+r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
 
 # processes needs to access storage file stored at /metadata/aconfig/boot, require search
 # permission on /metadata dir