tequilaOS/platform_build
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add a build flag to turn on debugfs restrictions

Browse source 
Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, this
patch introduces a build flag that can be set by vendors to enforce
additional debugfs restrictions for userdebug/eng builds. The same flag
will be used to enable sepolicy neverallow statements to prevent new
permissions added for debugfs access.

Bug: 184381659
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062
This commit is contained in:
Hridya Valsaraju 2021-03-31 21:28:02 -07:00
parent bacb3ebb2a
commit b39ec7084a
3 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/main.mk
View file

@ -290,6 +290,13 @@ ADDITIONAL_VENDOR_PROPERTIES += \
ro.product.first_api_level=$(PRODUCT_SHIPPING_API_LEVEL)
endif
ifneq ($(TARGET_BUILD_VARIANT),user)
ifdef PRODUCT_SET_DEBUGFS_RESTRICTIONS
ADDITIONAL_VENDOR_PROPERTIES += \
ro.product.enforce_debugfs_restrictions=$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)
endif
endif
# Vendors with GRF must define BOARD_SHIPPING_API_LEVEL for the vendor API level.
# This must not be defined for the non-GRF devices.
ifdef BOARD_SHIPPING_API_LEVEL

3
core/product.mk
View file

@ -341,6 +341,9 @@ _product_list_vars += PRODUCT_FORCE_PRODUCT_MODULES_TO_SYSTEM_PARTITION
# This flag implies PRODUCT_USE_DYNAMIC_PARTITIONS.
_product_single_value_vars += PRODUCT_RETROFIT_DYNAMIC_PARTITIONS
# When this is true, various build time as well as runtime debugfs restrictions are enabled.
_product_single_value_vars += PRODUCT_SET_DEBUGFS_RESTRICTIONS
# Other dynamic partition feature flags.PRODUCT_USE_DYNAMIC_PARTITION_SIZE and
# PRODUCT_BUILD_SUPER_PARTITION default to the value of PRODUCT_USE_DYNAMIC_PARTITIONS.
_product_single_value_vars += \

2
core/soong_config.mk
View file

@ -256,6 +256,8 @@ $(call add_json_bool, BuildBrokenEnforceSyspropOwner, $(filter true,$(BUILD_
$(call add_json_bool, BuildBrokenTrebleSyspropNeverallow, $(filter true,$(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW)))
$(call add_json_bool, BuildBrokenVendorPropertyNamespace, $(filter true,$(BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE)))
$(call add_json_bool, BuildDebugfsRestrictionsEnabled, $(filter true,$(PRODUCT_SET_DEBUGFS_RESTRICTIONS)))
$(call add_json_bool, RequiresInsecureExecmemForSwiftshader, $(filter true,$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER)))
$(call add_json_bool, SelinuxIgnoreNeverallows, $(filter true,$(SELINUX_IGNORE_NEVERALLOWS)))