Let incidentd read the wakeup_sources debugfs node for userdebug/eng builds
Currently, incidentd is allowed to read the wakeup_sources debugfs
node only if a device does not enforce debugfs restrictions. If a device
enforces debugfs restrictions, debugfs cannot be mounted on user builds,
but can be mounted on userdebug and eng builds.
Processes that need to use debugfs should therefore be able to
access it on userdebug and eng builds. So, allow incidentd to
read the wakeup sources debugfs node for userdebug and eng builds.
Bug: 300477252
Change-Id: I9bb480a0418a6d176b39753d552f409e139be178
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
diff --git a/private/domain.te b/private/domain.te
index 692c962..769264b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -668,6 +668,7 @@
userdebug_or_eng(`
-init
-hal_dumpstate
+ -incidentd
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
diff --git a/private/incidentd.te b/private/incidentd.te
index e86b3bf..bf98d31 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,9 +29,7 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+userdebug_or_eng(`allow incidentd debugfs_wakeup_sources:file r_file_perms');
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };