Let vold_prepare_subdirs completely clean deleted user data.

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872c)

private/vold_prepare_subdirs.te

@@ -12,8 +12,8 @@ allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
   system_data_file
   vendor_data_file
-}:dir { open read write add_name remove_name relabelfrom };
-allow vold_prepare_subdirs system_data_file:file getattr;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs system_data_file:file { getattr unlink };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto };
 allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
 allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto };

public/domain.te

@@ -1121,6 +1121,7 @@ neverallow {
   -system_app
   -init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink