strengthen debugfs neverallows
The comments here suggest they intended to put stronger
rules in place.
Bug: 281877578
Test: boot
Change-Id: I4c837c2e0f86f648c212fa7915275cd75319e663
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9f2b1d5..0491a33 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -66,7 +66,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
diff --git a/private/priv_app.te b/private/priv_app.te
index cfd8721..b455732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -218,7 +218,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 6e7ba50..8e46ca3 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -45,7 +45,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;