Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index 167e54e..3d27563 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -518,3 +518,18 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..f418fa3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -54,7 +54,10 @@
}:process signal;
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index d3478bd..136910e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,7 +186,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index c5a93c9..daef4bb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,6 +62,9 @@
# All types use for debugfs files.
attribute debugfs_type;
+# All types used for tracefs files.
+attribute tracefs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 28bdb82..85a5796 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,10 +113,12 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
-allow dumpstate debugfs_mmc:file r_file_perms;
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
# df for
allow dumpstate {
diff --git a/public/file.te b/public/file.te
index 174a149..4353760 100644
--- a/public/file.te
+++ b/public/file.te
@@ -142,14 +142,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -560,7 +560,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index 641a969..7e6789f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -240,8 +240,11 @@
-system_file_type
-vendor_file_type
-vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
allow init {
file_type
-app_data_file
@@ -290,8 +293,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -312,6 +315,7 @@
-sdcard_type
-sysfs_type
-rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a8f9418..8a74421 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,6 +79,7 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -143,8 +144,11 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
+allow vendor_init tracefs_type:file { open read setattr map };
+
allow vendor_init {
fs_type
-contextmount_type