sepolicy: allow init to mount debugfs in userdebug builds This change will help debug builds with keeping debugfs disabled during run time. Instead, debugfs will be mounted by init to enable boot time initializations to set up debug data collection and unmounted after boot. It will be also be mounted by dumpstate for bug report generation and unmounted after. It resolves the following avc denial: avc: denied { mounton } for comm="init" path="/sys/kernel/debug" dev="debugfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:debugfs:s0 tclass=dir permissive=0 Bug: 176936478 Test: make && boot Change-Id: I5bc819eb0cc36bdc32565c17a16da8838baf946a

commit: 90eadaac59464b6d05822eb5f0d0c5704f7fd731 [log] [tgz]
author: Hridya Valsaraju <hridya@google.com> Thu Jan 07 19:03:47 2021 -0800
committer: Hridya Valsaraju <hridya@google.com> Thu Jan 07 21:32:24 2021 -0800
tree: bcf0da42b5fa42f5aca47c2c4ccb3ee871d417de
parent: 9b6eeb3307321abe8a897cdca6fce0b5cd8f462f [diff]
diff --git a/public/init.te b/public/init.te
index 0bbeb29..f491108 100644
--- a/public/init.te
+++ b/public/init.te

@@ -16,6 +16,12 @@
 userdebug_or_eng(`
   allow init kmsg_debug_device:chr_file { open write relabelto };
 ')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+  allow init debugfs:dir mounton;
+')
+
 # /dev/__properties__
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
commit	90eadaac59464b6d05822eb5f0d0c5704f7fd731	[log] [tgz]
author	Hridya Valsaraju <hridya@google.com>	Thu Jan 07 19:03:47 2021 -0800
committer	Hridya Valsaraju <hridya@google.com>	Thu Jan 07 21:32:24 2021 -0800
tree	bcf0da42b5fa42f5aca47c2c4ccb3ee871d417de
parent	9b6eeb3307321abe8a897cdca6fce0b5cd8f462f [diff]