commit b39ec7084af54dcab5f56d275363e013df959c31
author Hridya Valsaraju <hridya@google.com> Wed Mar 31 21:28:02 2021 -0700
committer Hridya Valsaraju <hridya@google.com> Wed Apr 07 16:47:59 2021 -0700
tree 019e9fdf390bda0a8892013c7d59c557224f512c
parent bacb3ebb2afa33d86a0ab00c7cc0b9a64140024c

Add a build flag to turn on debugfs restrictions

Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, this
patch introduces a build flag that can be set by vendors to enforce
additional debugfs restrictions for userdebug/eng builds. The same flag
will be used to enable sepolicy neverallow statements to prevent new
permissions added for debugfs access.

Bug: 184381659
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062

core/soong_config.mk

diff --git a/core/soong_config.mk b/core/soong_config.mk
index b87eba1..17176df 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -256,6 +256,8 @@
 $(call add_json_bool, BuildBrokenTrebleSyspropNeverallow, $(filter true,$(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW)))
 $(call add_json_bool, BuildBrokenVendorPropertyNamespace, $(filter true,$(BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE)))
 
+$(call add_json_bool, BuildDebugfsRestrictionsEnabled, $(filter true,$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)))
+
 $(call add_json_bool, RequiresInsecureExecmemForSwiftshader, $(filter true,$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER)))
 
 $(call add_json_bool, SelinuxIgnoreNeverallows, $(filter true,$(SELINUX_IGNORE_NEVERALLOWS)))