Add sepolicy for the securityfs mount type. See discussion in aosp/1233645. There was a concern about this filesystem automounting when enabled, so this change adds sepolicy to preemptively lock it down. I'm not confident it actually automounts. If it does, it'll land in /sys/kernel/security, which is also protected with the sysfs policy. Test: Builds Bug: 148102533 Change-Id: I78a246a5c18953f2471f84367ab383afb2742908

commit: 71b0b85a9469e99fec499ccf37ed07b0de6b4f1f [log] [tgz]
author: A. Cody Schuffelen <schuffelen@google.com> Tue Feb 18 15:26:44 2020 -0800
committer: A. Cody Schuffelen <schuffelen@google.com> Wed Mar 11 12:24:24 2020 -0700
tree: e318b6d6743ec33853003c49bac34355907aaaa6
parent: 6862377b84ac0fbaa6cc14f58cfe664a7cc0aa32 [diff]
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 9c5deb0..e373726 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -81,6 +81,7 @@
     prereboot_data_file
     art_apex_dir
     rebootescrow_hal_prop
+    securityfs
     service_manager_service
     service_manager_vndservice
     simpleperf

diff --git a/private/genfs_contexts b/private/genfs_contexts
index ccf6784..828929f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -291,6 +291,8 @@
 
 genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
 
+genfscon securityfs / u:object_r:securityfs:s0
+
 genfscon binder /binder u:object_r:binder_device:s0
 genfscon binder /hwbinder u:object_r:hwbinder_device:s0
 genfscon binder /vndbinder u:object_r:vndbinder_device:s0
commit	71b0b85a9469e99fec499ccf37ed07b0de6b4f1f	[log] [tgz]
author	A. Cody Schuffelen <schuffelen@google.com>	Tue Feb 18 15:26:44 2020 -0800
committer	A. Cody Schuffelen <schuffelen@google.com>	Wed Mar 11 12:24:24 2020 -0700
tree	e318b6d6743ec33853003c49bac34355907aaaa6
parent	6862377b84ac0fbaa6cc14f58cfe664a7cc0aa32 [diff]