Enforce debugfs restrictions for S launching devices and newer
Starting with Android R, debugfs cannot be mounted on production
devices. In order to minimize the differences w.r.t debugfs between user
and userdebug/eng builds, enforce a set of run-time and build-time
restrictions on debugfs access for S launch devices and newer. For
non-user builds, debugfs can still be accessed by root and by the
dumpstate HAL during bugreport collection.
Bug: 184381659
Test: build/boot
Change-Id: I2af49acd8a5b3440c6ecbf365ab43cdb33ff897a
diff --git a/core/product_config.mk b/core/product_config.mk
index d703ee3..eb6f69f 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -359,6 +359,14 @@
endif
endif
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),)
+ ifdef PRODUCT_SHIPPING_API_LEVEL
+ ifeq (true,$(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),31))
+ PRODUCT_SET_DEBUGFS_RESTRICTIONS := true
+ endif
+ endif
+endif
+
ifdef PRODUCT_SHIPPING_API_LEVEL
ifneq (,$(call math_gt_or_eq,29,$(PRODUCT_SHIPPING_API_LEVEL)))
PRODUCT_PACKAGES += $(PRODUCT_PACKAGES_SHIPPING_API_LEVEL_29)