Add neverallows for debugfs access Android R launching devices and newer must not ship with debugfs mounted. For Android S launching devices and newer, debugfs must only be mounted in userdebug/eng builds by init(for boot time initializations) and dumpstate(for grabbing debug information from debugfs using the dumpstate HAL). This patch adds neverallow statements to prevent othe processes being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS is set to true. Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS Bug: 184381659 Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be

commit: a0b504a484f29c4bef9ca0a8146e16b3b2df8a26 [log] [tgz]
author: Hridya Valsaraju <hridya@google.com> Wed Mar 24 16:40:15 2021 -0700
committer: Hridya Valsaraju <hridya@google.com> Wed Apr 21 14:13:22 2021 -0700
tree: bda97174134ee04e275a2517cf8e957ae634228f
parent: 1c3d898d8702b311634a037f04719f476c519032 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index d3478bd..136910e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -186,7 +186,9 @@
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
 
 # Read /sys/kernel/ion/*.
 allow system_server sysfs_ion:file r_file_perms;
commit	a0b504a484f29c4bef9ca0a8146e16b3b2df8a26	[log] [tgz]
author	Hridya Valsaraju <hridya@google.com>	Wed Mar 24 16:40:15 2021 -0700
committer	Hridya Valsaraju <hridya@google.com>	Wed Apr 21 14:13:22 2021 -0700
tree	bda97174134ee04e275a2517cf8e957ae634228f
parent	1c3d898d8702b311634a037f04719f476c519032 [diff] [blame]