Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5f2f6fdf362d14b7960850a05e790b5.
Now that b/186727553 is fixed, it should be safe to revert this revert.
Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index c7a3495..4b8bb2a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -521,3 +521,18 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..f418fa3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -54,7 +54,10 @@
}:process signal;
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index caf5208..08c4e40 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -184,7 +184,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;