Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
Revert "Add a neverallow for debugfs mounting"
Revert "Add neverallows for debugfs access"
Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
Revert "Check that tracefs files are labelled as tracefs_type"
diff --git a/Android.mk b/Android.mk
index cc9340d..7e0e02e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -301,11 +301,6 @@
enforce_sysprop_owner := false
endif
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -626,7 +621,6 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -644,7 +638,6 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -703,7 +696,6 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -721,7 +713,6 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -893,7 +884,6 @@
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -957,7 +947,6 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
@@ -1224,7 +1213,6 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1462,7 +1450,6 @@
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1495,7 +1482,6 @@
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1614,7 +1600,6 @@
built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8daa42d..d734c97 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -135,13 +135,6 @@
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
-func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
-}
-
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
@@ -161,7 +154,6 @@
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
- FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
Flag("-s").
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf)
diff --git a/definitions.mk b/definitions.mk
index 63c4d94..95f297b 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -15,7 +15,6 @@
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index a591a48..20ceaa7 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -61,7 +61,6 @@
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
$(1): PRIVATE_POLICY_FILES := $$(policy_files)
$(1): $$(policy_files) $$(M4)
$$(transform-policy-to-conf)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6c43f7f..e479f33 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -135,7 +135,6 @@
vcn_management_service
vd_device
vendor_kernel_modules
- vendor_modprobe
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,11 +153,9 @@
# debugfs
neverallow {
coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
+ -dumpstate
+ -init
+ -system_server
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index d28b846..87518a7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -364,15 +364,7 @@
-update_engine
-vold
-zygote
-} { fs_type
- -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
-
-enforce_debugfs_restriction(`
- neverallow {
- domain userdebug_or_eng(`-init')
- } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
@@ -518,21 +510,3 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- -vendor_modprobe
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index f418fa3..13e3b4c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -54,10 +54,7 @@
}:process signal;
# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..a574eee 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,9 +29,7 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/storaged.te b/private/storaged.te
index bb39e5b..b7d4ae9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,12 +18,10 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index 136910e..d3478bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,9 +186,7 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index daef4bb..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,9 +62,6 @@
# All types use for debugfs files.
attribute debugfs_type;
-# All types used for tracefs files.
-attribute tracefs_type;
-
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..28bdb82 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,12 +113,10 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
+allow dumpstate debugfs_mmc:file r_file_perms;
# df for
allow dumpstate {
diff --git a/public/file.te b/public/file.te
index 13cdc6e..c31bb9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -144,14 +144,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -562,7 +562,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index ea5a979..893573e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -162,19 +162,7 @@
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
+allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
@@ -240,11 +228,8 @@
-system_file_type
-vendor_file_type
-vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
allow init {
file_type
-app_data_file
@@ -293,8 +278,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -315,7 +300,6 @@
-sdcard_type
-sysfs_type
-rootfs
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/recovery.te b/public/recovery.te
index 3649888..63ba3ee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -32,7 +32,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+ allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..1ce5541 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -506,23 +506,6 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
-# enforce_debugfs_restriction
-# SELinux rules which apply to devices that enable debugfs restrictions.
-# The keyword "cts" is used to insert markers to only CTS test the neverallows
-# added by the macro for S-launch devices and newer.
-define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
-ifelse(target_enforce_debugfs_restriction, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# no_debugfs_restriction
-# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
-define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
-
-#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 11f298e..1c425fb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,7 +79,6 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -144,11 +143,8 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
-allow vendor_init tracefs_type:file { open read setattr map };
-
allow vendor_init {
fs_type
-contextmount_type
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
deleted file mode 100644
index 529c4aa..0000000
--- a/public/vendor_modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-type vendor_modprobe, domain;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 1d26dfc..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -40,18 +40,11 @@
def TestDebugfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
+ ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
return ret
-def TestTracefsTypeViolations(pol):
- ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
- ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
- ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
- ["/sys/kernel/debug/tracing"], "tracefs_type",
- [])
- return ret
-
def TestVendorTypeViolations(pol):
partitions = ["/vendor/", "/odm/"]
exceptions = [
@@ -118,7 +111,6 @@
"TestSysfsTypeViolations",
"TestSystemTypeViolators",
"TestDebugfsTypeViolations",
- "TestTracefsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
@@ -173,8 +165,6 @@
results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
- if options.test is None or "TestTracefsTypeViolations" in options.test:
- results += TestTracefsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 3f5918c..4628ecc 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,3 +1,5 @@
+type vendor_modprobe, domain;
+
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)