From 4561fcb76c63eb8aecdb67a7ee0600ef5e2009c7 Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Mon, 16 Sep 2019 10:00:52 -0700
Subject: [PATCH] Allow toolbox to rm -rf /data/per_boot

Bug: 140882488
Test: create files and dirs in /data/per_boot, check they're removed.
Cherry-Picked-From: 859f9211d802e1c210ccf15674c3bd6dc60c3681
Cherry-Picked-From: 2367ba358f0ec0c0c591e3e2feadabf891f38eef
Merged-In: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343
Change-Id: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343
---
 prebuilts/api/29.0/public/domain.te  | 2 +-
 prebuilts/api/29.0/public/toolbox.te | 4 ++++
 public/domain.te                     | 2 +-
 public/toolbox.te                    | 4 ++++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f2d..f34870181 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
   -system_server
   -system_app
   -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
   -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
   -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/prebuilts/api/29.0/public/toolbox.te b/prebuilts/api/29.0/public/toolbox.te
index 19cc3b6fe..fcf0ec34b 100644
--- a/prebuilts/api/29.0/public/toolbox.te
+++ b/prebuilts/api/29.0/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/public/domain.te b/public/domain.te
index 987bb9f2d..f34870181 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
   -system_server
   -system_app
   -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
   -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
   -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6fe..fcf0ec34b 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };