SEPolicy changes to allow kcov access in userdebug. This includes the SELinux policy changes to allow for kcov access in userdebug builds for coverage-guided kernel fuzzing. Bug: 117990869 Test: Ran syzkaller with Android untrusted_app sandbox with coverage. Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09

commit: 55d9096652126b79e8641c52ec31fbe7747073da [log] [tgz]
author: Dan Austin <danielaustin@google.com> Thu Nov 29 10:37:18 2018 -0800
committer: Dan Austin <danielaustin@google.com> Fri Nov 30 10:56:29 2018 -0800
tree: 27d91b47664c95bc32f12fcc1ce18efed49ad23d
parent: 9cded32f6ae2040051e7717e68be956e8c0b1ff4 [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7936147..16ae1a0 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -19,7 +19,8 @@
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
+neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering
commit	55d9096652126b79e8641c52ec31fbe7747073da	[log] [tgz]
author	Dan Austin <danielaustin@google.com>	Thu Nov 29 10:37:18 2018 -0800
committer	Dan Austin <danielaustin@google.com>	Fri Nov 30 10:56:29 2018 -0800
tree	27d91b47664c95bc32f12fcc1ce18efed49ad23d
parent	9cded32f6ae2040051e7717e68be956e8c0b1ff4 [diff] [blame]