Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).
This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index 167e54e..3d27563 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -518,3 +518,18 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..f418fa3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -54,7 +54,10 @@
}:process signal;
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index d3478bd..136910e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,7 +186,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;