Merge "init: fix SELinux denials on remounting from new netns" into main am: 67e0a3539b
Original change: https://android-review.googlesource.com/c/platform/system/core/+/3535246
Change-Id: I1bcd9b5d53be09bee23972ef331b0c2546fb48dc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/init/service_utils.cpp b/init/service_utils.cpp
index f8821a0..8d9a046 100644
--- a/init/service_utils.cpp
+++ b/init/service_utils.cpp
@@ -98,7 +98,17 @@
// Look up the filesystems that were mounted under /sys before we wiped
// it and attempt to restore them.
for (const auto& entry : mounts) {
- if (entry.mount_point.starts_with("/sys/")) {
+ // Never mount /sys/kernel/debug/tracing. This is the *one* mount
+ // that is special within Linux kernel: for backward compatibility
+ // tracefs gets auto-mounted there whenever one mounts debugfs [1].
+ //
+ // Attempting to mount the filesystem here will cause SELinux
+ // denials, because unlike *all other* filesystems in Android, it's
+ // not init who mounted it so there's no policy that would allow it.
+ //
+ // [1] https://lore.kernel.org/lkml/20150204143755.694479564@goodmis.org/
+ if (entry.mount_point.starts_with("/sys/") &&
+ entry.mount_point != "/sys/kernel/debug/tracing") {
if (mount(entry.blk_device.c_str(), entry.mount_point.c_str(),
entry.fs_type.c_str(), entry.flags, "")) {
LOG(WARNING) << "Could not mount(" << entry.mount_point