Merge changes from topic "debugfs_neverallow" am: 005ae599cd

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1668411 Change-Id: I90babf42eb8504fb2b0fa269a4e538b557d2328d
2021-04-22 17:03:14 +00:00 · 2021-04-22 17:03:14 +00:00 · 95fef2b070
commit 95fef2b070
parent f5120b98a6 005ae599cd
21 changed files with 143 additions and 29 deletions
--- a/Android.mk
+++ b/Android.mk
@ -301,6 +301,11 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
  enforce_sysprop_owner := false
 endif

+enforce_debugfs_restriction := false
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
+  enforce_debugfs_restriction := true
+endif
+
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -621,6 +626,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -638,6 +644,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -696,6 +703,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -713,6 +721,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -835,6 +844,7 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(vendor_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -898,6 +908,7 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
 $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(odm_policy.conf): $(policy_files) $(M4)
@ -1164,6 +1175,7 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy.recovery.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1401,6 +1413,7 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1433,6 +1446,7 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_pub_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1551,6 +1565,7 @@ built_vendor_svc :=
 built_plat_sepolicy :=
 treble_sysprop_neverallow :=
 enforce_sysprop_owner :=
+enforce_debugfs_restriction :=
 mapping_policy :=
 my_target_arch :=
 pub_policy.cil :=
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@ -135,6 +135,13 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
 	return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
 }

+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+	if c.cts() {
+		return "cts"
+	}
+	return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
 func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
 	conf := android.PathForModuleOut(ctx, "conf").OutputPath
 	rule := android.NewRuleBuilder(pctx, ctx)
@ -154,6 +161,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
 		FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
 		FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
 		FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+		FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
 		Flag("-s").
 		Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
 		Text("> ").Output(conf)
--- a/definitions.mk
+++ b/definitions.mk
@ -15,6 +15,7 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
 	-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
 	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
+	-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@ -61,6 +61,7 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
 $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
 $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
 $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
 $(1): PRIVATE_POLICY_FILES := $$(policy_files)
 $(1): $$(policy_files) $$(M4)
 	$$(transform-policy-to-conf)
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -134,6 +134,7 @@
    vcn_management_service
    vd_device
    vendor_kernel_modules
+    vendor_modprobe
    vibrator_manager_service
    virtualization_service
    vpn_management_service
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -153,9 +153,11 @@ full_treble_only(`
  # debugfs
  neverallow {
    coredomain
-    -dumpstate
-    -init
-    -system_server
+    no_debugfs_restriction(`
+      -dumpstate
+      -init
+      -system_server
+    ')
  } debugfs:file no_rw_file_perms;

  # tracefs
--- a/private/domain.te
+++ b/private/domain.te
@ -364,7 +364,15 @@ neverallow {
    -update_engine
    -vold
    -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+} { fs_type
+    -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+  neverallow {
+    domain userdebug_or_eng(`-init')
+  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')

 # Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
 neverallow {
@ -510,3 +518,21 @@ neverallow {
  -traced_probes
  -traced_perf
 } proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+  neverallow {
+    domain
+    -vendor_modprobe
+    userdebug_or_eng(`
+      -init
+      -hal_dumpstate
+    ')
+  } { debugfs_type
+      userdebug_or_eng(`-debugfs_kcov')
+      -tracefs_type
+  }:file no_rw_file_perms;
+')
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@ -54,7 +54,10 @@ allow dumpstate {
 }:process signal;

 # For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
 allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
--- a/private/incidentd.te
+++ b/private/incidentd.te
@ -29,7 +29,9 @@ unix_socket_send(incidentd, statsdw, statsd)
 allow incidentd proc_pagetypeinfo:file r_file_perms;

 # section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')

 # section id 2003, allow executing top
 allow incidentd proc_meminfo:file { open read };
--- a/private/storaged.te
+++ b/private/storaged.te
@ -18,10 +18,12 @@ allow storaged packages_list_file:file r_file_perms;
 allow storaged storaged_data_file:dir rw_dir_perms;
 allow storaged storaged_data_file:file create_file_perms;

-userdebug_or_eng(`
-  # Read access to debugfs
-  allow storaged debugfs_mmc:dir search;
-  allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    # Read access to debugfs
+    allow storaged debugfs_mmc:dir search;
+    allow storaged debugfs_mmc:file r_file_perms;
+  ')
 ')

 # Needed to provide debug dump output via dumpsys pipes.
--- a/private/system_server.te
+++ b/private/system_server.te
@ -186,7 +186,9 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;

 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow system_server debugfs_wakeup_sources:file r_file_perms;
+')

 # Read /sys/kernel/ion/*.
 allow system_server sysfs_ion:file r_file_perms;
--- a/public/attributes
+++ b/public/attributes
@ -62,6 +62,9 @@ attribute sysfs_type;
 # All types use for debugfs files.
 attribute debugfs_type;

+# All types used for tracefs files.
+attribute tracefs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -113,10 +113,12 @@ allow dumpstate {
 }:file r_file_perms;

 # Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+  allow dumpstate debugfs:file r_file_perms;
+  auditallow dumpstate debugfs:file r_file_perms;

-allow dumpstate debugfs_mmc:file r_file_perms;
+  allow dumpstate debugfs_mmc:file r_file_perms;
+')

 # df for
 allow dumpstate {
--- a/public/file.te
+++ b/public/file.te
@ -144,14 +144,14 @@ type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
 type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
 type securityfs, fs_type;

 type pstorefs, fs_type;
@ -562,7 +562,7 @@ type hwservice_contexts_file, system_file_type, file_type;
 type vndservice_contexts_file, file_type;

 # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;

 # kernel modules
 type vendor_kernel_modules, vendor_file_type, file_type;
--- a/public/init.te
+++ b/public/init.te
@ -162,7 +162,19 @@ allowxperm init dev_type:blk_file ioctl BLKROSET;
 # which should all be assigned the contextmount_type attribute.
 # This can be done in device-specific policy via type or typeattribute
 # declarations.
-allow init fs_type:filesystem ~relabelto;
+allow init {
+  fs_type
+  enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
 allow init unlabeled:filesystem ~relabelto;
 allow init contextmount_type:filesystem relabelto;

@ -228,8 +240,11 @@ allow init {
  -system_file_type
  -vendor_file_type
  -vold_data_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };

+allow init tracefs_type:file { create_file_perms relabelfrom };
+
 allow init {
  file_type
  -app_data_file
@ -278,8 +293,8 @@ allow init {
  -privapp_data_file
 }:dir_file_class_set relabelto;

-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;

@ -300,6 +315,7 @@ allow init {
  -sdcard_type
  -sysfs_type
  -rootfs
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };

--- a/public/recovery.te
+++ b/public/recovery.te
@ -32,7 +32,7 @@ recovery_only(`
  # Mount filesystems.
  allow recovery rootfs:dir mounton;
  allow recovery tmpfs:dir mounton;
-  allow recovery fs_type:filesystem ~relabelto;
+  allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
  allow recovery unlabeled:filesystem ~relabelto;
  allow recovery contextmount_type:filesystem relabelto;

--- a/public/te_macros
+++ b/public/te_macros
@ -505,6 +505,23 @@ $1
 #
 define(`not_full_treble', ifelse(target_full_treble, `true', , $1))

+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
 #####################################
 # Compatible property only
 # SELinux rules which apply only to devices with compatible property
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -79,6 +79,7 @@ allow vendor_init {
  -apex_metadata_file
  -apex_info_file
  -userspace_reboot_metadata_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };

 allow vendor_init {
@ -143,8 +144,11 @@ allow vendor_init {
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };

+allow vendor_init tracefs_type:file { open read setattr map };
+
 allow vendor_init {
  fs_type
  -contextmount_type
--- a/public/vendor_modprobe.te
+++ b/public/vendor_modprobe.te
@ -0,0 +1 @@
+type vendor_modprobe, domain;
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@ -40,11 +40,18 @@ def TestSysfsTypeViolations(pol):

 def TestDebugfsTypeViolations(pol):
    ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
-    ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
                                    "/sys/kernel/tracing"], [], "debugfs_type")
    return ret

+def TestTracefsTypeViolations(pol):
+    ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
+    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
+    ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
+                                            ["/sys/kernel/debug/tracing"], "tracefs_type",
+                                            [])
+    return ret
+
 def TestVendorTypeViolations(pol):
    partitions = ["/vendor/", "/odm/"]
    exceptions = [
@ -111,6 +118,7 @@ Tests = [
    "TestSysfsTypeViolations",
    "TestSystemTypeViolators",
    "TestDebugfsTypeViolations",
+    "TestTracefsTypeViolations",
    "TestVendorTypeViolations",
    "TestCoreDataTypeViolations",
    "TestPropertyTypeViolations",
@ -165,6 +173,8 @@ if __name__ == '__main__':
        results += TestSystemTypeViolations(pol)
    if options.test is None or "TestDebugfsTypeViolations" in options.test:
        results += TestDebugfsTypeViolations(pol)
+    if options.test is None or "TestTracefsTypeViolations" in options.test:
+        results += TestTracefsTypeViolations(pol)
    if options.test is None or "TestVendorTypeViolations" in options.test:
        results += TestVendorTypeViolations(pol)
    if options.test is None or "TestCoreDataTypeViolations" in options.test:
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@ -1,5 +1,3 @@
-type vendor_modprobe, domain;
-
 # For the use of /vendor/bin/modprobe from vendor init.rc fragments
 domain_trans(init, vendor_toolbox_exec, vendor_modprobe)