commit bd3fd0eebe05de41465257ce41eb0fab0784d3ec
author Jeff Vander Stoep <jeffv@google.com> Wed Jun 10 12:27:12 2020 +0200
committer Jeff Vander Stoep <jeffv@google.com> Thu Jun 11 07:43:30 2020 +0200
tree 7302b827e1b306a2a2bb375b74f7f0a6d6ea723c
parent 641cffeb0e7cd7c5c893ac67f1160ede379eeb57

Label kprobes and restrict access

Bug: 149659981
Test: build
Change-Id: I6abcd1bb9af15e7ba0f1f5e711ea9ac661bffc25

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 4c444d3..8a6c602 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -6,4 +6,5 @@
 (typeattributeset new_objects
   ( new_objects
     apex_info_file
+    debugfs_kprobes
     gnss_device))

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index d563267..9cd064a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -365,3 +365,6 @@
 
 # Do not allow reading the last boot timestamp from system properties
 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index b423e64..25de730 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -151,6 +151,7 @@
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 
+genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
 genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0