Revert "Add neverallows for debugfs access"
Revert submission 1668411 Reason for revert: Suspect for b/186173384 Reverted Changes: Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t... I743a81489:Exclude vendor_modprobe from debugfs neverallow re... I63a22402c:Add neverallows for debugfs access I289f2d256:Add a neverallow for debugfs mounting Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
This commit is contained in:
parent
231c04b2b9
commit
e95e0ec0a5
11 changed files with 23 additions and 62 deletions
|
@ -153,11 +153,9 @@ full_treble_only(`
|
|||
# debugfs
|
||||
neverallow {
|
||||
coredomain
|
||||
no_debugfs_restriction(`
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
')
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
} debugfs:file no_rw_file_perms;
|
||||
|
||||
# tracefs
|
||||
|
|
|
@ -518,18 +518,3 @@ neverallow {
|
|||
-traced_probes
|
||||
-traced_perf
|
||||
} proc_kallsyms:file { open read };
|
||||
|
||||
# debugfs_kcov type is not included in this neverallow statement since the KCOV
|
||||
# tool uses it for kernel fuzzing.
|
||||
enforce_debugfs_restriction(`
|
||||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`
|
||||
-init
|
||||
-hal_dumpstate
|
||||
')
|
||||
} { debugfs_type
|
||||
userdebug_or_eng(`-debugfs_kcov')
|
||||
-tracefs_type
|
||||
}:file no_rw_file_perms;
|
||||
')
|
||||
|
|
|
@ -54,10 +54,7 @@ allow dumpstate {
|
|||
}:process signal;
|
||||
|
||||
# For collecting bugreports.
|
||||
no_debugfs_restriction(`
|
||||
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
|
||||
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
|
||||
allow dumpstate dev_type:blk_file getattr;
|
||||
allow dumpstate webview_zygote:process signal;
|
||||
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
|
||||
|
|
|
@ -29,9 +29,7 @@ unix_socket_send(incidentd, statsdw, statsd)
|
|||
allow incidentd proc_pagetypeinfo:file r_file_perms;
|
||||
|
||||
# section id 2002, allow reading /d/wakeup_sources
|
||||
no_debugfs_restriction(`
|
||||
allow incidentd debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
allow incidentd debugfs_wakeup_sources:file r_file_perms;
|
||||
|
||||
# section id 2003, allow executing top
|
||||
allow incidentd proc_meminfo:file { open read };
|
||||
|
|
|
@ -18,12 +18,10 @@ allow storaged packages_list_file:file r_file_perms;
|
|||
allow storaged storaged_data_file:dir rw_dir_perms;
|
||||
allow storaged storaged_data_file:file create_file_perms;
|
||||
|
||||
no_debugfs_restriction(`
|
||||
userdebug_or_eng(`
|
||||
# Read access to debugfs
|
||||
allow storaged debugfs_mmc:dir search;
|
||||
allow storaged debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
userdebug_or_eng(`
|
||||
# Read access to debugfs
|
||||
allow storaged debugfs_mmc:dir search;
|
||||
allow storaged debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
|
||||
# Needed to provide debug dump output via dumpsys pipes.
|
||||
|
|
|
@ -186,9 +186,7 @@ allow system_server stats_data_file:dir { open read remove_name search write };
|
|||
allow system_server stats_data_file:file unlink;
|
||||
|
||||
# Read /sys/kernel/debug/wakeup_sources.
|
||||
no_debugfs_restriction(`
|
||||
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
||||
')
|
||||
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
||||
|
||||
# Read /sys/kernel/ion/*.
|
||||
allow system_server sysfs_ion:file r_file_perms;
|
||||
|
|
|
@ -62,9 +62,6 @@ attribute sysfs_type;
|
|||
# All types use for debugfs files.
|
||||
attribute debugfs_type;
|
||||
|
||||
# All types used for tracefs files.
|
||||
attribute tracefs_type;
|
||||
|
||||
# Attribute used for all sdcards
|
||||
attribute sdcard_type;
|
||||
|
||||
|
|
|
@ -113,12 +113,10 @@ allow dumpstate {
|
|||
}:file r_file_perms;
|
||||
|
||||
# Other random bits of data we want to collect
|
||||
no_debugfs_restriction(`
|
||||
allow dumpstate debugfs:file r_file_perms;
|
||||
auditallow dumpstate debugfs:file r_file_perms;
|
||||
allow dumpstate debugfs:file r_file_perms;
|
||||
auditallow dumpstate debugfs:file r_file_perms;
|
||||
|
||||
allow dumpstate debugfs_mmc:file r_file_perms;
|
||||
')
|
||||
allow dumpstate debugfs_mmc:file r_file_perms;
|
||||
|
||||
# df for
|
||||
allow dumpstate {
|
||||
|
|
|
@ -142,14 +142,14 @@ type exfat, sdcard_type, fs_type, mlstrustedobject;
|
|||
type debugfs, fs_type, debugfs_type;
|
||||
type debugfs_kprobes, fs_type, debugfs_type;
|
||||
type debugfs_mmc, fs_type, debugfs_type;
|
||||
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
||||
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_mm_events_tracing, fs_type, debugfs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing_instances, fs_type, debugfs_type;
|
||||
type debugfs_tracing_printk_formats, fs_type, debugfs_type;
|
||||
type debugfs_wakeup_sources, fs_type, debugfs_type;
|
||||
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_wifi_tracing, fs_type, debugfs_type;
|
||||
type securityfs, fs_type;
|
||||
|
||||
type pstorefs, fs_type;
|
||||
|
@ -560,7 +560,7 @@ type hwservice_contexts_file, system_file_type, file_type;
|
|||
type vndservice_contexts_file, file_type;
|
||||
|
||||
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
|
||||
type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
|
||||
type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
|
||||
|
||||
# kernel modules
|
||||
type vendor_kernel_modules, vendor_file_type, file_type;
|
||||
|
|
|
@ -240,11 +240,8 @@ allow init {
|
|||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow init tracefs_type:file { create_file_perms relabelfrom };
|
||||
|
||||
allow init {
|
||||
file_type
|
||||
-app_data_file
|
||||
|
@ -293,8 +290,8 @@ allow init {
|
|||
-privapp_data_file
|
||||
}:dir_file_class_set relabelto;
|
||||
|
||||
allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
|
||||
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
|
||||
allow init dev_type:dir create_dir_perms;
|
||||
allow init dev_type:lnk_file create;
|
||||
|
||||
|
@ -315,7 +312,6 @@ allow init {
|
|||
-sdcard_type
|
||||
-sysfs_type
|
||||
-rootfs
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr };
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
||||
|
||||
|
|
|
@ -79,7 +79,6 @@ allow vendor_init {
|
|||
-apex_metadata_file
|
||||
-apex_info_file
|
||||
-userspace_reboot_metadata_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow vendor_init {
|
||||
|
@ -144,11 +143,8 @@ allow vendor_init {
|
|||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr map };
|
||||
|
||||
allow vendor_init tracefs_type:file { open read setattr map };
|
||||
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-contextmount_type
|
||||
|
|
Loading…
Reference in a new issue