Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"

Revert submission 1668411 Reason for revert: Suspect for b/186173384 Reverted Changes: Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t... I743a81489:Exclude vendor_modprobe from debugfs neverallow re... I63a22402c:Add neverallows for debugfs access I289f2d256:Add a neverallow for debugfs mounting Change-Id: I04f8bfdc0e5fe8d2f7d6596ed7b840332d611485
2021-04-23 16:38:20 +00:00 · 2021-04-23 16:38:20 +00:00 · 231c04b2b9
commit 231c04b2b9
parent a00863e4d8
4 changed files with 2 additions and 5 deletions
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -132,7 +132,6 @@
    vcn_management_service
    vd_device
    vendor_kernel_modules
-    vendor_modprobe
    vibrator_manager_service
    virtualization_service
    vpn_management_service
--- a/private/domain.te
+++ b/private/domain.te
@ -521,12 +521,9 @@ neverallow {

 # debugfs_kcov type is not included in this neverallow statement since the KCOV
 # tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
 enforce_debugfs_restriction(`
  neverallow {
    domain
-    -vendor_modprobe
    userdebug_or_eng(`
      -init
      -hal_dumpstate
--- a/public/vendor_modprobe.te
+++ b/public/vendor_modprobe.te
@ -1 +0,0 @@
-type vendor_modprobe, domain;
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@ -1,3 +1,5 @@
+type vendor_modprobe, domain;
+
 # For the use of /vendor/bin/modprobe from vendor init.rc fragments
 domain_trans(init, vendor_toolbox_exec, vendor_modprobe)