gta4xl-common: Set PRODUCT_SET_DEBUGFS_RESTRICTIONS
Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, the
build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS can be set by vendors to
enforce additional debugfs restrictions for userdebug/eng builds. The
same flag will be used to enable sepolicy neveallow statements to
prevent new permissions added for debugfs access.
Test: build, boot
Bug: 184381659
Change-Id: I45e6f20c886d467a215c9466f3a09965ff897d7e
diff --git a/common.mk b/common.mk
index 99cc1d3..bda1884 100644
--- a/common.mk
+++ b/common.mk
@@ -135,6 +135,9 @@
$(COMMON_PATH)/configs/init/init.samsung.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/init.samsung.rc \
$(COMMON_PATH)/configs/init/ueventd.rc:$(TARGET_COPY_OUT_VENDOR)/etc/ueventd.rc
+# Kernel
+PRODUCT_SET_DEBUGFS_RESTRICTIONS := true
+
# Keylayout
PRODUCT_COPY_FILES += \
$(COMMON_PATH)/configs/idc/sec_e-pen.idc:$(TARGET_COPY_OUT_VENDOR)/usr/idc/sec_e-pen.idc \
diff --git a/configs/init/init.exynos9611.rc b/configs/init/init.exynos9611.rc
index 8c0288b..4edc324 100644
--- a/configs/init/init.exynos9611.rc
+++ b/configs/init/init.exynos9611.rc
@@ -2,7 +2,6 @@
mkdir /mnt/vendor/efs 0771 radio system
mkdir /mnt/vendor/cpefs 0771 radio system
mkdir /mnt/vendor/persist 0771 system system
- mount debugfs /sys/kernel/debug /sys/kernel/debug
on init
# Set permissions for persist partition
@@ -272,9 +271,6 @@
chown system system /sys/devices/svc/Camera/SVC_rear_module
chown system system /sys/devices/svc/Camera/SVC_front_module
- chmod 0755 /sys/kernel/debug/tracing
- restorecon /sys/kernel/debug/tracing/trace_marker
-
# HWC data
mkdir /data/vendor/log/hwc 0771 system graphics
@@ -316,14 +312,6 @@
write /proc/sys/vm/min_free_order_shift 4
- # Allow to access debugfs for system:system
- chmod 0755 /sys/kernel/debug
- chown system system /sys/kernel/debug
-
- # Set up kernel tracing, but disable it by default
- chmod 0222 /sys/kernel/debug/tracing/trace_marker
- write /sys/kernel/debug/tracing/tracing_on 0
-
# Permissions for NAD
symlink /dev/block/platform/13520000.ufs/by-name/nad_refer /dev/block/NAD_REFER
@@ -358,7 +346,6 @@
chown audioserver system /sys/devices/platform/14a50000.abox/0.abox_debug/gpr
chown audioserver system /sys/devices/platform/14a50000.abox/0.abox_debug/calliope_sram
chown audioserver system /sys/devices/platform/14a50000.abox/0.abox_debug/calliope_dram
- chown audioserver system /sys/kernel/debug/abox/log-00
# BarTender
mkdir /dev/cpuctl/bg_cached
@@ -839,14 +826,6 @@
chown system audio /sys/class/cirrus/cirrus_bd/over_temp_count_left
chown system audio /sys/class/cirrus/cirrus_bd/over_temp_count_right
- chmod 0660 /sys/kernel/debug/audio/log
- chown audioserver system /sys/kernel/debug/audio/log
- chmod 0660 /sys/kernel/debug/audio/log_enable
- chown audioserver system /sys/kernel/debug/audio/log_enable
- chmod 0660 /sys/kernel/debug/audio/bootlog
- chown audioserver system /sys/kernel/debug/audio/bootlog
- chmod 0660 /sys/kernel/debug/audio/bootlog_enable
- chown audioserver system /sys/kernel/debug/audio/bootlog_enable
# TI Amp Calibration and Factory test
chown system audio /sys/class/tas25xx/calib/calibration
chown system audio /sys/class/tas25xx/calib/cstatus
diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te
deleted file mode 100644
index de24957..0000000
--- a/sepolicy/vendor/domain.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow domain debugfs_mali:dir search;
-allow domain debugfs_mali_mem:dir search;
-allow domain debugfs_ion_dma:dir search;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 0cf29c9..48862d5 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -3,12 +3,6 @@
type media_vendor_data_file, file_type, data_file_type;
type mediadrm_vendor_data_file, file_type, data_file_type;
-# debug types
-type debugfs_mali, fs_type, debugfs_type;
-type debugfs_mali_mem, fs_type, debugfs_type;
-type debugfs_ion, fs_type, debugfs_type;
-type debugfs_ion_dma, fs_type, debugfs_type;
-
# efs types
type cpdebug_efs_file, fs_type;
type dsms_efs_file, fs_type;
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index c75fdc0..a40e210 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,9 +1,3 @@
-## DebugFS
-genfscon debugfs /mali/ u:object_r:debugfs_mali:s0
-genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0
-genfscon debugfs /ion u:object_r:debugfs_ion:s0
-genfscon debugfs /dma_buf u:object_r:debugfs_ion_dma:s0
-
## Proc
genfscon proc /simslot_count u:object_r:proc_simslot_count:s0
genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
diff --git a/sepolicy/vendor/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack_default.te
index ef653a9..d847336 100644
--- a/sepolicy/vendor/hal_memtrack_default.te
+++ b/sepolicy/vendor/hal_memtrack_default.te
@@ -1,6 +1 @@
-r_dir_file(hal_memtrack_default, debugfs_mali);
-r_dir_file(hal_memtrack_default, debugfs_mali_mem);
-r_dir_file(hal_memtrack_default, debugfs_ion);
-r_dir_file(hal_memtrack_default, debugfs_ion_dma);
-
allow hal_memtrack_default sysfs_gpu_memory:file r_file_perms;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 0f00fc9..73fa554 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -4,7 +4,6 @@
allow vendor_init tmpfs:dir { write add_name };
allow vendor_init tmpfs:lnk_file create;
allow vendor_init functionfs:file getattr;
-allow vendor_init debugfs_trace_marker:file getattr;
allow vendor_init proc_swappiness:file rw_file_perms;