Let vold_prepare_subdirs completely clean deleted user data.

After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials: avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 74866238 Test: Create user, delete user, reboot user, see no denials or leftover data. Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
author: Joel Galenson 2018-04-16 16:50:38 -0500
committer: Joel Galenson 2018-04-16 18:39:43 -0500
commit: 254a872cab855b01433cdd5a30239ef888452003 (patch)
tree: 04d780d8244ba7695b70e19a0a3c3abf9ef1a474 /public
parent: e96766dc42dd1889c5ccfdb37acac20ed75200cc (diff)
download: system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.tar.gz
system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.tar.xz
system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te
index 41e09033..2856f2c6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1120,6 +1120,7 @@ neverallow {
  -system_app
  -init
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
author	Joel Galenson	2018-04-16 16:50:38 -0500
committer	Joel Galenson	2018-04-16 18:39:43 -0500
commit	254a872cab855b01433cdd5a30239ef888452003 (patch)
tree	04d780d8244ba7695b70e19a0a3c3abf9ef1a474 /public
parent	e96766dc42dd1889c5ccfdb37acac20ed75200cc (diff)
download	system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.tar.gz system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.tar.xz system-sepolicy-254a872cab855b01433cdd5a30239ef888452003.zip

diff --git a/public/domain.te b/public/domain.te index 41e09033..2856f2c6 100644 --- a/public/domain.te +++ b/public/domain.te
@@ -1120,6 +1120,7 @@ neverallow {
1120	-system_app	1120	-system_app
1121	-init	1121	-init
1122	-installd # for relabelfrom and unlink, check for this in explicit neverallow	1122	-installd # for relabelfrom and unlink, check for this in explicit neverallow
		1123	-vold_prepare_subdirs # For unlink
1123	with_asan(`-asan_extract')	1124	with_asan(`-asan_extract')
1124	} system_data_file:file no_w_file_perms;	1125	} system_data_file:file no_w_file_perms;
1125	# do not grant anything greater than r_file_perms and relabelfrom unlink	1126	# do not grant anything greater than r_file_perms and relabelfrom unlink