Add a build flag to turn on debugfs restrictions Starting with Android R launched devices, debugfs cannot be mounted in production builds. In order to avoid accidental debugfs dependencies from creeping in during development with userdebug/eng builds, this patch introduces a build flag that can be set by vendors to enforce additional debugfs restrictions for userdebug/eng builds. The same flag will be used to enable sepolicy neverallow statements to prevent new permissions added for debugfs access. Bug: 184381659 Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062

commit: b39ec7084af54dcab5f56d275363e013df959c31 [log] [tgz]
author: Hridya Valsaraju <hridya@google.com> Wed Mar 31 21:28:02 2021 -0700
committer: Hridya Valsaraju <hridya@google.com> Wed Apr 07 16:47:59 2021 -0700
tree: 019e9fdf390bda0a8892013c7d59c557224f512c
parent: bacb3ebb2afa33d86a0ab00c7cc0b9a64140024c [diff] [blame]
diff --git a/core/main.mk b/core/main.mk
index 3362681..d39476d 100644
--- a/core/main.mk
+++ b/core/main.mk

@@ -290,6 +290,13 @@
     ro.product.first_api_level=$(PRODUCT_SHIPPING_API_LEVEL)
 endif
 
+ifneq ($(TARGET_BUILD_VARIANT),user)
+  ifdef PRODUCT_SET_DEBUGFS_RESTRICTIONS
+    ADDITIONAL_VENDOR_PROPERTIES += \
+      ro.product.enforce_debugfs_restrictions=$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)
+  endif
+endif
+
 # Vendors with GRF must define BOARD_SHIPPING_API_LEVEL for the vendor API level.
 # This must not be defined for the non-GRF devices.
 ifdef BOARD_SHIPPING_API_LEVEL
commit	b39ec7084af54dcab5f56d275363e013df959c31	[log] [tgz]
author	Hridya Valsaraju <hridya@google.com>	Wed Mar 31 21:28:02 2021 -0700
committer	Hridya Valsaraju <hridya@google.com>	Wed Apr 07 16:47:59 2021 -0700
tree	019e9fdf390bda0a8892013c7d59c557224f512c
parent	bacb3ebb2afa33d86a0ab00c7cc0b9a64140024c [diff] [blame]