Let vold_prepare_subdirs completely clean deleted user data.
After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials:
avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.
Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index badbb71..89b1528 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,8 +12,8 @@
allow vold_prepare_subdirs {
system_data_file
vendor_data_file
-}:dir { open read write add_name remove_name relabelfrom };
-allow vold_prepare_subdirs system_data_file:file getattr;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs system_data_file:file { getattr unlink };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto };
diff --git a/public/domain.te b/public/domain.te
index 41e0903..2856f2c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1120,6 +1120,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink