From b39ec7084af54dcab5f56d275363e013df959c31 Mon Sep 17 00:00:00 2001 From: Hridya Valsaraju Date: Wed, 31 Mar 2021 21:28:02 -0700 Subject: [PATCH] Add a build flag to turn on debugfs restrictions Starting with Android R launched devices, debugfs cannot be mounted in production builds. In order to avoid accidental debugfs dependencies from creeping in during development with userdebug/eng builds, this patch introduces a build flag that can be set by vendors to enforce additional debugfs restrictions for userdebug/eng builds. The same flag will be used to enable sepolicy neverallow statements to prevent new permissions added for debugfs access. Bug: 184381659 Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062 --- core/main.mk | 7 +++++++ core/product.mk | 3 +++ core/soong_config.mk | 2 ++ 3 files changed, 12 insertions(+) diff --git a/core/main.mk b/core/main.mk index 3362681b61..d39476d75b 100644 --- a/core/main.mk +++ b/core/main.mk @@ -290,6 +290,13 @@ ADDITIONAL_VENDOR_PROPERTIES += \ ro.product.first_api_level=$(PRODUCT_SHIPPING_API_LEVEL) endif +ifneq ($(TARGET_BUILD_VARIANT),user) + ifdef PRODUCT_SET_DEBUGFS_RESTRICTIONS + ADDITIONAL_VENDOR_PROPERTIES += \ + ro.product.enforce_debugfs_restrictions=$(PRODUCT_SET_DEBUGFS_RESTRICTIONS) + endif +endif + # Vendors with GRF must define BOARD_SHIPPING_API_LEVEL for the vendor API level. # This must not be defined for the non-GRF devices. ifdef BOARD_SHIPPING_API_LEVEL diff --git a/core/product.mk b/core/product.mk index 7c27614eca..015fe44ba9 100644 --- a/core/product.mk +++ b/core/product.mk @@ -341,6 +341,9 @@ _product_list_vars += PRODUCT_FORCE_PRODUCT_MODULES_TO_SYSTEM_PARTITION # This flag implies PRODUCT_USE_DYNAMIC_PARTITIONS. _product_single_value_vars += PRODUCT_RETROFIT_DYNAMIC_PARTITIONS +# When this is true, various build time as well as runtime debugfs restrictions are enabled. +_product_single_value_vars += PRODUCT_SET_DEBUGFS_RESTRICTIONS + # Other dynamic partition feature flags.PRODUCT_USE_DYNAMIC_PARTITION_SIZE and # PRODUCT_BUILD_SUPER_PARTITION default to the value of PRODUCT_USE_DYNAMIC_PARTITIONS. _product_single_value_vars += \ diff --git a/core/soong_config.mk b/core/soong_config.mk index b87eba1080..17176df7f5 100644 --- a/core/soong_config.mk +++ b/core/soong_config.mk @@ -256,6 +256,8 @@ $(call add_json_bool, BuildBrokenEnforceSyspropOwner, $(filter true,$(BUILD_ $(call add_json_bool, BuildBrokenTrebleSyspropNeverallow, $(filter true,$(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW))) $(call add_json_bool, BuildBrokenVendorPropertyNamespace, $(filter true,$(BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE))) +$(call add_json_bool, BuildDebugfsRestrictionsEnabled, $(filter true,$(PRODUCT_SET_DEBUGFS_RESTRICTIONS))) + $(call add_json_bool, RequiresInsecureExecmemForSwiftshader, $(filter true,$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER))) $(call add_json_bool, SelinuxIgnoreNeverallows, $(filter true,$(SELINUX_IGNORE_NEVERALLOWS)))