Merge "Add a build flag to turn on debugfs restrictions"
diff --git a/core/main.mk b/core/main.mk
index cc9c809..1e9a95f 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -290,6 +290,13 @@
ro.product.first_api_level=$(PRODUCT_SHIPPING_API_LEVEL)
endif
+ifneq ($(TARGET_BUILD_VARIANT),user)
+ ifdef PRODUCT_SET_DEBUGFS_RESTRICTIONS
+ ADDITIONAL_VENDOR_PROPERTIES += \
+ ro.product.enforce_debugfs_restrictions=$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)
+ endif
+endif
+
# Vendors with GRF must define BOARD_SHIPPING_API_LEVEL for the vendor API level.
# This must not be defined for the non-GRF devices.
ifdef BOARD_SHIPPING_API_LEVEL
diff --git a/core/product.mk b/core/product.mk
index 7c27614..015fe44 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -341,6 +341,9 @@
# This flag implies PRODUCT_USE_DYNAMIC_PARTITIONS.
_product_single_value_vars += PRODUCT_RETROFIT_DYNAMIC_PARTITIONS
+# When this is true, various build time as well as runtime debugfs restrictions are enabled.
+_product_single_value_vars += PRODUCT_SET_DEBUGFS_RESTRICTIONS
+
# Other dynamic partition feature flags.PRODUCT_USE_DYNAMIC_PARTITION_SIZE and
# PRODUCT_BUILD_SUPER_PARTITION default to the value of PRODUCT_USE_DYNAMIC_PARTITIONS.
_product_single_value_vars += \
diff --git a/core/soong_config.mk b/core/soong_config.mk
index b87eba1..17176df 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -256,6 +256,8 @@
$(call add_json_bool, BuildBrokenTrebleSyspropNeverallow, $(filter true,$(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW)))
$(call add_json_bool, BuildBrokenVendorPropertyNamespace, $(filter true,$(BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE)))
+$(call add_json_bool, BuildDebugfsRestrictionsEnabled, $(filter true,$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)))
+
$(call add_json_bool, RequiresInsecureExecmemForSwiftshader, $(filter true,$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER)))
$(call add_json_bool, SelinuxIgnoreNeverallows, $(filter true,$(SELINUX_IGNORE_NEVERALLOWS)))