Revert "Add a neverallow for debugfs mounting"

Revert submission 1668411 Reason for revert: Suspect for b/186173384 Reverted Changes: Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t... I743a81489:Exclude vendor_modprobe from debugfs neverallow re... I63a22402c:Add neverallows for debugfs access I289f2d256:Add a neverallow for debugfs mounting Change-Id: Ie04d7a4265ace43ba21a108af85f82ec137c6af0
2021-04-23 16:38:20 +00:00 · 2021-04-23 16:38:20 +00:00 · f9dbb72654
commit f9dbb72654
parent e95e0ec0a5
8 changed files with 3 additions and 65 deletions
--- a/Android.mk
+++ b/Android.mk
@ -301,11 +301,6 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
  enforce_sysprop_owner := false
 endif

-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
-  enforce_debugfs_restriction := true
-endif
-
 ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
  #$(warning no product shipping level defined)
 else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -626,7 +621,6 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -644,7 +638,6 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -703,7 +696,6 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -721,7 +713,6 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy_policy_2.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -844,7 +835,6 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(vendor_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -908,7 +898,6 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
 $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
 $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(odm_policy.conf): $(policy_files) $(M4)
@ -1175,7 +1164,6 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
 $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
 $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
 $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(sepolicy.recovery.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1413,7 +1401,6 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1446,7 +1433,6 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
 $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
 $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
 $(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
 $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
 $(base_plat_pub_policy.conf): $(policy_files) $(M4)
 	$(transform-policy-to-conf)
@ -1565,7 +1551,6 @@ built_vendor_svc :=
 built_plat_sepolicy :=
 treble_sysprop_neverallow :=
 enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
 mapping_policy :=
 my_target_arch :=
 pub_policy.cil :=
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@ -135,13 +135,6 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
 	return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
 }

-func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
-	if c.cts() {
-		return "cts"
-	}
-	return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
-}
-
 func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
 	conf := android.PathForModuleOut(ctx, "conf").OutputPath
 	rule := android.NewRuleBuilder(pctx, ctx)
@ -161,7 +154,6 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
 		FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
 		FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
 		FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
-		FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
 		Flag("-s").
 		Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
 		Text("> ").Output(conf)
--- a/definitions.mk
+++ b/definitions.mk
@ -15,7 +15,6 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
 	-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
 	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
-	-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@ -61,7 +61,6 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
 $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
 $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
 $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
 $(1): PRIVATE_POLICY_FILES := $$(policy_files)
 $(1): $$(policy_files) $$(M4)
 	$$(transform-policy-to-conf)
--- a/private/domain.te
+++ b/private/domain.te
@ -364,15 +364,7 @@ neverallow {
    -update_engine
    -vold
    -zygote
-} { fs_type
-    -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
-
-enforce_debugfs_restriction(`
-  neverallow {
-    domain userdebug_or_eng(`-init')
-  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };

 # Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
 neverallow {
--- a/public/init.te
+++ b/public/init.te
@ -162,19 +162,7 @@ allowxperm init dev_type:blk_file ioctl BLKROSET;
 # which should all be assigned the contextmount_type attribute.
 # This can be done in device-specific policy via type or typeattribute
 # declarations.
-allow init {
-  fs_type
-  enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
-  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
+allow init fs_type:filesystem ~relabelto;
 allow init unlabeled:filesystem ~relabelto;
 allow init contextmount_type:filesystem relabelto;

--- a/public/recovery.te
+++ b/public/recovery.te
@ -32,7 +32,7 @@ recovery_only(`
  # Mount filesystems.
  allow recovery rootfs:dir mounton;
  allow recovery tmpfs:dir mounton;
-  allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+  allow recovery fs_type:filesystem ~relabelto;
  allow recovery unlabeled:filesystem ~relabelto;
  allow recovery contextmount_type:filesystem relabelto;

--- a/public/te_macros
+++ b/public/te_macros
@ -505,23 +505,6 @@ $1
 #
 define(`not_full_treble', ifelse(target_full_treble, `true', , $1))

-#####################################
-# enforce_debugfs_restriction
-# SELinux rules which apply to devices that enable debugfs restrictions.
-# The keyword "cts" is used to insert markers to only CTS test the neverallows
-# added by the macro for S-launch devices and newer.
-define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
-ifelse(target_enforce_debugfs_restriction, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# no_debugfs_restriction
-# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
-define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
-
 #####################################
 # Compatible property only
 # SELinux rules which apply only to devices with compatible property