Allow artd to delete .sdm files.
.sdm files contain Cloud Compilation artifacts and are installed by the
app store, along with the APK. The file is initially installed as
`apk_tmp_file` and then relabeled to `apk_data_file` after being
committed.
To save space, we need to:
- Delete .sdm files (in `apk_tmp_file`) on install if they are not
usable (they don't pass the usability verification).
- Delete .sdm files (in `apk_data_file`) after the recompilation by
background dexopt job, at which point the .sdm files are essentially
obsolete.
Bug: 377474232
Test: No SELinux denial when deleting .sdm files.
Change-Id: I8457ecfb832d04ed8cb169812f4b66b8a7e861dd
diff --git a/private/artd.te b/private/artd.te
index 15d7969..b3f1e5a 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -37,11 +37,12 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
# Also allow creating the "oat" directory before restorecon.
+# Also allow deleting .sdm files.
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_data_file:file r_file_perms;
+allow artd apk_data_file:file { r_file_perms unlink };
allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_tmp_file:file r_file_perms;
+allow artd apk_tmp_file:file { r_file_perms unlink };
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)