Restrict write access to etm sysfs interface. Bug: 213519191 Test: boot device Change-Id: I40d110baea5593a597efa3c14fd0adecee23fc0f

commit: 927d7a752b160824e8d034e1f627ca89b1c8dc33 [log] [tgz]
author: Yabin Cui <yabinc@google.com> Tue Jan 11 11:45:03 2022 -0800
committer: Yabin Cui <yabinc@google.com> Tue Jan 11 14:12:52 2022 -0800
tree: 9a2071bbd5609032d46ca4eb133e82c3e8ced1b6
parent: 175f50137e829ed116dfd769a9b4bc8ef42c9978 [diff]
diff --git a/private/domain.te b/private/domain.te
index d12cbc7..ae5b0d7 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -569,6 +569,9 @@
   }:file no_rw_file_perms;
 ')
 
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
 # Restrict write access to shell owned files. The /data/local/tmp directory is
 # untrustworthy, and non-allowed domains should not be trusting any content in
 # those directories. We allow shell files to be passed around by file
commit	927d7a752b160824e8d034e1f627ca89b1c8dc33	[log] [tgz]
author	Yabin Cui <yabinc@google.com>	Tue Jan 11 11:45:03 2022 -0800
committer	Yabin Cui <yabinc@google.com>	Tue Jan 11 14:12:52 2022 -0800
tree	9a2071bbd5609032d46ca4eb133e82c3e8ced1b6
parent	175f50137e829ed116dfd769a9b4bc8ef42c9978 [diff]