Merge "Allow installd to delete files via sdcardfs." into oc-dev
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 9777753..7a26bec 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,11 +1,12 @@
# rules removed from the domain attribute
# Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
+ -installd
-sdcardd
-surfaceflinger
-system_server
diff --git a/public/installd.te b/public/installd.te
index c5b45b4..359356a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -54,6 +54,12 @@
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;