Revert "Add neverallows for debugfs access"
Revert submission 1668411
Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting
Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,11 +153,9 @@
# debugfs
neverallow {
coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
+ -dumpstate
+ -init
+ -system_server
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index 3d27563..167e54e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -518,18 +518,3 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index f418fa3..13e3b4c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -54,10 +54,7 @@
}:process signal;
# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..a574eee 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,9 +29,7 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/storaged.te b/private/storaged.te
index bb39e5b..b7d4ae9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,12 +18,10 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index 136910e..d3478bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,9 +186,7 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index daef4bb..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,9 +62,6 @@
# All types use for debugfs files.
attribute debugfs_type;
-# All types used for tracefs files.
-attribute tracefs_type;
-
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..28bdb82 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,12 +113,10 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
+allow dumpstate debugfs_mmc:file r_file_perms;
# df for
allow dumpstate {
diff --git a/public/file.te b/public/file.te
index 4353760..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -142,14 +142,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -560,7 +560,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index 7e6789f..641a969 100644
--- a/public/init.te
+++ b/public/init.te
@@ -240,11 +240,8 @@
-system_file_type
-vendor_file_type
-vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
allow init {
file_type
-app_data_file
@@ -293,8 +290,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -315,7 +312,6 @@
-sdcard_type
-sysfs_type
-rootfs
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8a74421..a8f9418 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,7 +79,6 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -144,11 +143,8 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
-allow vendor_init tracefs_type:file { open read setattr map };
-
allow vendor_init {
fs_type
-contextmount_type