Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8403ed70de0637a1e43a7e88c4c7d599c6e2bb81^! / .
commit8403ed70de0637a1e43a7e88c4c7d599c6e2bb81[log] [tgz]
authorHridya Valsaraju <hridya@google.com>Wed Mar 31 22:07:02 2021 -0700
committerHridya Valsaraju <hridya@google.com>Thu Apr 15 22:38:23 2021 -0700
treee056fd1fe8d451be5e43a237e3c7618d4cd186cb
parent29e51c20957cd63c84b32edadb1881755c376300 [diff]
Add a property to enable runtime debugfs restrictions in non-user builds

This patch adds ro.product.enforce_debugfs_restrictions to
property_contexts. When the property is set to true in non-user builds,
init mounts debugfs in early-init to enable boot-time debugfs
initializations and unmounts it on boot complete. Similarly dumpstate
will mount debugfs to collect information from debugfs during bugreport
collection via the dumpstate HAL and unmount debugfs once done. Doing
so will allow non-user builds to keep debugfs disabled during runtime.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS, adb shell am
bugreport
Bug: 184381659

Change-Id: Ib720523c7f94a4f9ce944d46977a3c01ed829414

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5681de..96fefc0 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -25,6 +25,7 @@
     debugfs_kprobes
     debugfs_mm_events_tracing
     debugfs_bootreceiver_tracing
+    debugfs_restriction_prop
     device_config_profcollect_native_boot_prop
     device_config_connectivity_prop
     device_config_swcodec_native_prop

diff --git a/private/property_contexts b/private/property_contexts
index c7d6743..c0ebfda 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -800,6 +800,9 @@
 ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
 ro.old_dlkm.build.version.sdk                 u:object_r:build_vendor_prop:s0 exact int
 
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
+
 # All vendor build props are set by /vendor/build.prop
 ro.vendor.build.date                        u:object_r:build_vendor_prop:s0 exact string
 ro.vendor.build.date.utc                    u:object_r:build_vendor_prop:s0 exact int

diff --git a/public/property.te b/public/property.te
index 8cae47c..f4437bd 100644
--- a/public/property.te
+++ b/public/property.te

@@ -126,6 +126,7 @@
 system_vendor_config_prop(codec2_config_prop)
 system_vendor_config_prop(cpu_variant_prop)
 system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
 system_vendor_config_prop(drm_service_config_prop)
 system_vendor_config_prop(exported_camera_prop)
 system_vendor_config_prop(exported_config_prop)