neverallow debugfs access

Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
diff --git a/domain.te b/domain.te
index b60e5e0..15594ef 100644
--- a/domain.te
+++ b/domain.te
@@ -508,3 +508,9 @@
 # $ grep mydaemon file_contexts
 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
 neverallow domain domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 9d80bd8..12a629d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -112,7 +112,7 @@
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs:file read;
+neverallow untrusted_app debugfs_type:file read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering