From 2bae5b96939047aedd4f0c9243ae24df74e79a16 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Mon, 16 Apr 2018 14:50:38 -0700
Subject: [PATCH] Let vold_prepare_subdirs completely clean deleted user data.

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872cab855b01433cdd5a30239ef888452003)
---
 private/vold_prepare_subdirs.te | 4 ++--
 public/domain.te                | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 93d6c115b..ab1825824 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,8 +12,8 @@ allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
   system_data_file
   vendor_data_file
-}:dir { open read write add_name remove_name relabelfrom };
-allow vold_prepare_subdirs system_data_file:file getattr;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs system_data_file:file { getattr unlink };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto };
 allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
 allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto };
diff --git a/public/domain.te b/public/domain.te
index 1b7bbd4ab..a83317dd5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1121,6 +1121,7 @@ neverallow {
   -system_app
   -init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
-- 
GitLab