strengthen debugfs neverallows The comments here suggest they intended to put stronger rules in place. Bug: 281877578 Test: boot Change-Id: I4c837c2e0f86f648c212fa7915275cd75319e663

commit: b56bf68763bcb2a47fae192b57c8b67d9fcd25c3 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Mon May 22 23:02:24 2023 +0000
committer: Steven Moreland <smoreland@google.com> Mon May 22 23:02:24 2023 +0000
tree: 14fd2df0283b4810a94afbc21527864b825fb443
parent: 8634a8859553cf42be4815bccf5c5f0322602efe [diff] [blame]
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 6e7ba50..8e46ca3 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te

@@ -45,7 +45,7 @@
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
 
 # execute gpu_device
 neverallow sdk_sandbox_all gpu_device:chr_file execute;
commit	b56bf68763bcb2a47fae192b57c8b67d9fcd25c3	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Mon May 22 23:02:24 2023 +0000
committer	Steven Moreland <smoreland@google.com>	Mon May 22 23:02:24 2023 +0000
tree	14fd2df0283b4810a94afbc21527864b825fb443
parent	8634a8859553cf42be4815bccf5c5f0322602efe [diff] [blame]