never allow untrusted apps accessing debugfs_tracing

debugfs_tracing can only be accessed by tracing tools provided by the
platform.

Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601

private/platform_app.te

@@ -93,6 +93,9 @@ get_prop(platform_app, keyguard_config_prop)
 # allow platform apps to create symbolic link
 allow platform_app app_data_file:lnk_file create_file_perms;
 
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###

private/system_app.te

@@ -116,6 +116,9 @@ dontaudit system_app {
   vr_hwc_service
 }:service_manager find;
 
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
 allow system_app keystore:keystore_key {
     get_state
     get

private/untrusted_app_all.te

@@ -64,6 +64,9 @@ allow untrusted_app_all trace_data_file:file { getattr read };
 neverallow untrusted_app_all trace_data_file:dir *;
 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
 
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
 # Allow to read staged apks.
 allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
 
@@ -146,6 +149,9 @@ allow untrusted_app_all system_server:udp_socket {
 # Allow the renderscript compiler to be run.
 domain_auto_trans(untrusted_app_all, rs_exec, rs)
 
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;