Revert "Revert "Add a neverallow for debugfs mounting""
This reverts commit f9dbb7265413dbedab45020b822be4453b2fd0d3.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/
Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 9d574c9..75fbdf1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -135,6 +135,13 @@
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
@@ -154,6 +161,7 @@
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+ FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
Flag("-s").
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf)