Merge "strengthen debugfs neverallows" am: 4f36bd15ac am: 863fea7e62

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599510

Change-Id: I9c12dd0e933f6e5c4917db5c1ccdadd985dce7d3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/ephemeral_app.te

@@ -66,7 +66,7 @@ neverallow ephemeral_app domain:netlink_socket *;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;
 
 # execute gpu_device
 neverallow ephemeral_app gpu_device:chr_file execute;

private/priv_app.te

@@ -218,7 +218,7 @@ neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;
 
 # Do not allow privileged apps to register services.
 # Only trusted components of Android should be registering

private/sdk_sandbox_all.te

@@ -45,7 +45,7 @@ neverallow sdk_sandbox_all domain:netlink_socket *;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
 
 # execute gpu_device
 neverallow sdk_sandbox_all gpu_device:chr_file execute;