Add debugfs permission to 29.0 and 30.0 compat cil
Since Android S, we started to enforce the debugfs restrictions. However,
GSI had it turned off (PRODUCT_SET_DEBUGFS_RESTRICTIONS := false) in order
to support pre-S vendor images.
This has an undesirable side effect that the restriction is turned off even
for S+ vendors.
This CL fixes it by
1) re-enabling the restriction for GSI and
2) manually adding the debugfs permissions only to the compat cil for the
pre-S (29 and 30) vendors, effectively turning the restriction off for
them.
Bug: 330671086
Test: build
Test: run neverallow CTS
Change-Id: I5cd554b1b9f729a540e6b0f2aa0662091b691f0c
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index 0bb2ae8..2d37de6 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -11,3 +11,28 @@
(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+
+;; permission for devices (older than S) where debugfs restriction doesn't apply.
+(typeattribute debugfs_file_type)
+(typeattributeset debugfs_file_type (and debugfs_type file_type))
+(typeattribute debugfs_fs_type)
+(typeattributeset debugfs_fs_type (and debugfs_type fs_type))
+
+(allow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads)))
+(allow dumpstate debugfs_mmc (file (ioctl read getattr lock map open watch watch_reads)))
+(allow dumpstate debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads)))
+(auditallow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads)))
+
+(allow init debugfs (dir (getattr relabelfrom)))
+(allow init debugfs (file (getattr relabelfrom)))
+(allow init debugfs (lnk_file (getattr relabelfrom)))
+(allow init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map)))
+(allow init debugfs_fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget watch)))
+(allow init debugfs_type (dir (getattr relabelto)))
+(allow init debugfs_type (file (getattr relabelto)))
+(allow init debugfs_type (lnk_file (getattr relabelto)))
+
+(allow system_server debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads)))
+
+(allow vendor_init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map)))
+(allow vendor_init debugfs_fs_type (file (open read setattr map)))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index b8bd755..c9c5f47 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -12,3 +12,28 @@
(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+
+;; permission for devices (older than S) where debugfs restriction doesn't apply.
+(typeattribute debugfs_file_type)
+(typeattributeset debugfs_file_type (and debugfs_type file_type))
+(typeattribute debugfs_fs_type)
+(typeattributeset debugfs_fs_type (and debugfs_type fs_type))
+
+(allow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads)))
+(allow dumpstate debugfs_mmc (file (ioctl read getattr lock map open watch watch_reads)))
+(allow dumpstate debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads)))
+(auditallow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads)))
+
+(allow init debugfs (dir (getattr relabelfrom)))
+(allow init debugfs (file (getattr relabelfrom)))
+(allow init debugfs (lnk_file (getattr relabelfrom)))
+(allow init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map)))
+(allow init debugfs_fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget watch)))
+(allow init debugfs_type (dir (getattr relabelto)))
+(allow init debugfs_type (file (getattr relabelto)))
+(allow init debugfs_type (lnk_file (getattr relabelto)))
+
+(allow system_server debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads)))
+
+(allow vendor_init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map)))
+(allow vendor_init debugfs_fs_type (file (open read setattr map)))