Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / 6b7311fc99b72bbc18c77282e2a3b52880c8326f^! / .
commit6b7311fc99b72bbc18c77282e2a3b52880c8326f[log] [tgz]
authorHridya Valsaraju <hridya@google.com>Fri Apr 02 12:36:20 2021 -0700
committerHridya Valsaraju <hridya@google.com>Fri Apr 02 17:00:50 2021 -0700
treee3f6d6b9c95519e7bf7cf07c502d541fc90fe1e8
parent007d7941c82563f27decf2f0a951c1c402f31433 [diff]
Use property ro.product.enforce_debugfs_restrictions to enable debugfs
restrictions

Use the property ro.product.enforce_debugfs_restrictions to enable
debugfs restrictions instead of checking the launch API level. Vendors
can enable build-time as well as run-time debugfs restrictions by
setting the build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS true which in
turn sets ro.product.enforce_debugfs_restrictions true as well enables
sepolicy neverallow restrictions that prevent debugfs access. The
intention of the build flag is to prevent debugfs dependencies from
creeping in during development on userdebug/eng builds.

Test: build and boot
Bug: 184381659
Change-Id: If555037f973e6e4f35eb7312637f58e8360c3013

diff --git a/init/init.cpp b/init/init.cpp
index 7264b22..a7325ca 100644
--- a/init/init.cpp
+++ b/init/init.cpp

@@ -849,21 +849,6 @@
     auto is_installed = android::gsi::IsGsiInstalled() ? "1" : "0";
     SetProperty(gsi::kGsiInstalledProp, is_installed);
 
-    /*
-     * For debug builds of S launching devices, init mounts debugfs for
-     * enabling vendor debug data collection setup at boot time. Init will unmount it on
-     * boot-complete after vendor code has performed the required initializations
-     * during boot. Dumpstate will then mount debugfs in order to read data
-     * from the same using the dumpstate HAL during bugreport creation.
-     * Dumpstate will also unmount debugfs after bugreport creation.
-     * first_api_level comparison is done here instead
-     * of init.rc since init.rc parser does not support >/< operators.
-     */
-    auto api_level = android::base::GetIntProperty("ro.product.first_api_level", 0);
-    bool is_debuggable = android::base::GetBoolProperty("ro.debuggable", false);
-    auto mount_debugfs = (is_debuggable && (api_level >= 31)) ? "1" : "0";
-    SetProperty("init.mount_debugfs", mount_debugfs);
-
     am.QueueBuiltinAction(SetupCgroupsAction, "SetupCgroups");
     am.QueueBuiltinAction(SetKptrRestrictAction, "SetKptrRestrict");
     am.QueueBuiltinAction(TestPerfEventSelinuxAction, "TestPerfEventSelinux");

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 9a30ead..5a9cc99 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -985,7 +985,7 @@
     write /proc/sys/vm/dirty_expire_centisecs 200
     write /proc/sys/vm/dirty_background_ratio  5
 
-on property:sys.boot_completed=1 && property:init.mount_debugfs=1
+on property:sys.boot_completed=1 && property:ro.product.enforce_debugfs_restrictions=true
    umount /sys/kernel/debug
 
 on boot
@@ -1263,7 +1263,7 @@
 on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
   setprop sys.init.userspace_reboot.in_progress ""
 
-on early-init && property:init.mount_debugfs=1
+on early-init && property:ro.product.enforce_debugfs_restrictions=true
     mount debugfs debugfs /sys/kernel/debug
     chmod 0755 /sys/kernel/debug