Merge changes from topic "debugfs_neverallow" am: 005ae599cd

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1668411

Change-Id: I90babf42eb8504fb2b0fa269a4e538b557d2328d

Android.mk

@@ -301,6 +301,11 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
   enforce_sysprop_owner := false
 endif
 
+enforce_debugfs_restriction := false
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
+  enforce_debugfs_restriction := true
+endif
+
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
   #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -621,6 +626,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -638,6 +644,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -696,6 +703,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -713,6 +721,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -835,6 +844,7 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(vendor_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -898,6 +908,7 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
 $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(odm_policy.conf): $(policy_files) $(M4)
@@ -1164,6 +1175,7 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy.recovery.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -1401,6 +1413,7 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -1433,6 +1446,7 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_pub_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@@ -1551,6 +1565,7 @@ built_vendor_svc :=
 built_plat_sepolicy :=
 treble_sysprop_neverallow :=
 enforce_sysprop_owner :=
+enforce_debugfs_restriction :=
 mapping_policy :=
 my_target_arch :=
 pub_policy.cil :=

build/soong/policy.go

@@ -135,6 +135,13 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
 	return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
 }
 
+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+	if c.cts() {
+		return "cts"
+	}
+	return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
 func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
 	conf := android.PathForModuleOut(ctx, "conf").OutputPath
 	rule := android.NewRuleBuilder(pctx, ctx)
@@ -154,6 +161,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
 		FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
 		FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
 		FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+		FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
 		Flag("-s").
 		Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
 		Text("> ").Output(conf)

definitions.mk

@@ -15,6 +15,7 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
 	-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
 	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
+	-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef

prebuilt_policy.mk

@@ -61,6 +61,7 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
 $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
 $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
 $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
 $(1): PRIVATE_POLICY_FILES := $$(policy_files)
 $(1): $$(policy_files) $$(M4)
 	$$(transform-policy-to-conf)

private/compat/30.0/30.0.ignore.cil

@@ -134,6 +134,7 @@
     vcn_management_service
     vd_device
     vendor_kernel_modules
+    vendor_modprobe
     vibrator_manager_service
     virtualization_service
     vpn_management_service

private/coredomain.te

@@ -153,9 +153,11 @@ full_treble_only(`
   # debugfs
   neverallow {
     coredomain
-    -dumpstate
+    no_debugfs_restriction(`
-    -init
+      -dumpstate
-    -system_server
+      -init
+      -system_server
+    ')
   } debugfs:file no_rw_file_perms;
 
   # tracefs

private/domain.te

@@ -364,7 +364,15 @@ neverallow {
     -update_engine
     -vold
     -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+} { fs_type
+    -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+  neverallow {
+    domain userdebug_or_eng(`-init')
+  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
 
 # Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
 neverallow {
@@ -510,3 +518,21 @@ neverallow {
   -traced_probes
   -traced_perf
 } proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+  neverallow {
+    domain
+    -vendor_modprobe
+    userdebug_or_eng(`
+      -init
+      -hal_dumpstate
+    ')
+  } { debugfs_type
+      userdebug_or_eng(`-debugfs_kcov')
+      -tracefs_type
+  }:file no_rw_file_perms;
+')

private/dumpstate.te

@@ -54,7 +54,10 @@ allow dumpstate {
 }:process signal;
 
 # For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
 allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 allow dumpstate sysfs_dmabuf_stats:file r_file_perms;

private/incidentd.te

@@ -29,7 +29,9 @@ unix_socket_send(incidentd, statsdw, statsd)
 allow incidentd proc_pagetypeinfo:file r_file_perms;
 
 # section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
 
 # section id 2003, allow executing top
 allow incidentd proc_meminfo:file { open read };

private/storaged.te

@@ -18,10 +18,12 @@ allow storaged packages_list_file:file r_file_perms;
 allow storaged storaged_data_file:dir rw_dir_perms;
 allow storaged storaged_data_file:file create_file_perms;
 
-userdebug_or_eng(`
+no_debugfs_restriction(`
-  # Read access to debugfs
+  userdebug_or_eng(`
-  allow storaged debugfs_mmc:dir search;
+    # Read access to debugfs
-  allow storaged debugfs_mmc:file r_file_perms;
+    allow storaged debugfs_mmc:dir search;
+    allow storaged debugfs_mmc:file r_file_perms;
+  ')
 ')
 
 # Needed to provide debug dump output via dumpsys pipes.

private/system_server.te

@@ -186,7 +186,9 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
 
 # Read /sys/kernel/ion/*.
 allow system_server sysfs_ion:file r_file_perms;

public/attributes

@@ -62,6 +62,9 @@ attribute sysfs_type;
 # All types use for debugfs files.
 attribute debugfs_type;
 
+# All types used for tracefs files.
+attribute tracefs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;
 

public/dumpstate.te

@@ -113,10 +113,12 @@ allow dumpstate {
 }:file r_file_perms;
 
 # Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
-auditallow dumpstate debugfs:file r_file_perms;
+  allow dumpstate debugfs:file r_file_perms;
+  auditallow dumpstate debugfs:file r_file_perms;
 
-allow dumpstate debugfs_mmc:file r_file_perms;
+  allow dumpstate debugfs_mmc:file r_file_perms;
+')
 
 # df for
 allow dumpstate {

public/file.te

@@ -144,14 +144,14 @@ type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
 type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
 type securityfs, fs_type;
 
 type pstorefs, fs_type;
@@ -562,7 +562,7 @@ type hwservice_contexts_file, system_file_type, file_type;
 type vndservice_contexts_file, file_type;
 
 # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
 
 # kernel modules
 type vendor_kernel_modules, vendor_file_type, file_type;

public/init.te

@@ -162,7 +162,19 @@ allowxperm init dev_type:blk_file ioctl BLKROSET;
 # which should all be assigned the contextmount_type attribute.
 # This can be done in device-specific policy via type or typeattribute
 # declarations.
-allow init fs_type:filesystem ~relabelto;
+allow init {
+  fs_type
+  enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
 allow init unlabeled:filesystem ~relabelto;
 allow init contextmount_type:filesystem relabelto;
 
@@ -228,8 +240,11 @@ allow init {
   -system_file_type
   -vendor_file_type
   -vold_data_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
 allow init {
   file_type
   -app_data_file
@@ -278,8 +293,8 @@ allow init {
   -privapp_data_file
 }:dir_file_class_set relabelto;
 
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
 
@@ -300,6 +315,7 @@ allow init {
   -sdcard_type
   -sysfs_type
   -rootfs
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 

public/recovery.te

@@ -32,7 +32,7 @@ recovery_only(`
   # Mount filesystems.
   allow recovery rootfs:dir mounton;
   allow recovery tmpfs:dir mounton;
-  allow recovery fs_type:filesystem ~relabelto;
+  allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
   allow recovery unlabeled:filesystem ~relabelto;
   allow recovery contextmount_type:filesystem relabelto;
 

public/te_macros

@@ -505,6 +505,23 @@ $1
 #
 define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
 
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
 #####################################
 # Compatible property only
 # SELinux rules which apply only to devices with compatible property

public/vendor_init.te

@@ -79,6 +79,7 @@ allow vendor_init {
   -apex_metadata_file
   -apex_info_file
   -userspace_reboot_metadata_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -143,8 +144,11 @@ allow vendor_init {
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };
 
+allow vendor_init tracefs_type:file { open read setattr map };
+
 allow vendor_init {
   fs_type
   -contextmount_type

public/vendor_modprobe.te

@@ -0,0 +1 @@
+type vendor_modprobe, domain;

tests/sepolicy_tests.py

@@ -40,11 +40,18 @@ def TestSysfsTypeViolations(pol):
 
 def TestDebugfsTypeViolations(pol):
     ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
-    ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
     ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
                                     "/sys/kernel/tracing"], [], "debugfs_type")
     return ret
 
+def TestTracefsTypeViolations(pol):
+    ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
+    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
+    ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
+                                            ["/sys/kernel/debug/tracing"], "tracefs_type",
+                                            [])
+    return ret
+
 def TestVendorTypeViolations(pol):
     partitions = ["/vendor/", "/odm/"]
     exceptions = [
@@ -111,6 +118,7 @@ Tests = [
     "TestSysfsTypeViolations",
     "TestSystemTypeViolators",
     "TestDebugfsTypeViolations",
+    "TestTracefsTypeViolations",
     "TestVendorTypeViolations",
     "TestCoreDataTypeViolations",
     "TestPropertyTypeViolations",
@@ -165,6 +173,8 @@ if __name__ == '__main__':
         results += TestSystemTypeViolations(pol)
     if options.test is None or "TestDebugfsTypeViolations" in options.test:
         results += TestDebugfsTypeViolations(pol)
+    if options.test is None or "TestTracefsTypeViolations" in options.test:
+        results += TestTracefsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test:
         results += TestVendorTypeViolations(pol)
     if options.test is None or "TestCoreDataTypeViolations" in options.test:

vendor/vendor_modprobe.te

@@ -1,5 +1,3 @@
-type vendor_modprobe, domain;
-
 # For the use of /vendor/bin/modprobe from vendor init.rc fragments
 domain_trans(init, vendor_toolbox_exec, vendor_modprobe)