From 70551d2bc99d7e0fae671fa83cd689c831546f0c Mon Sep 17 00:00:00 2001 From: Hridya Valsaraju Date: Mon, 10 May 2021 15:38:15 -0700 Subject: [PATCH] Let debugfs be accessed only for non-user builds Since production devices(with user builds) must not mount debugfs, provide dumpstate HAL permission to access debugfs only in userdebug/eng builds. Also, delete dumpstate domain's access to vendor_dmabuf_debugfs(/d/dma_buf/bufinfo) since dumpstate now obtains the same information from /sys/kernel/dmabuf. Test: build Bug: 186500818 Change-Id: I17007d495fba6332bbf17dc7d030e5c6e4d5248b --- whitechapel/vendor/google/dumpstate.te | 1 - whitechapel/vendor/google/hal_dumpstate_default.te | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te index 9b5c0538..7c024e3d 100644 --- a/whitechapel/vendor/google/dumpstate.te +++ b/whitechapel/vendor/google/dumpstate.te @@ -2,7 +2,6 @@ dump_hal(hal_telephony) dump_hal(hal_graphics_composer) userdebug_or_eng(` - allow dumpstate vendor_dmabuf_debugfs:file r_file_perms; allow dumpstate media_rw_data_file:file append; ') diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te index 97a419ce..f7a4537c 100644 --- a/whitechapel/vendor/google/hal_dumpstate_default.te +++ b/whitechapel/vendor/google/hal_dumpstate_default.te @@ -77,8 +77,6 @@ allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; -allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; -allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; @@ -131,6 +129,9 @@ userdebug_or_eng(` allow hal_dumpstate_default sysfs_bcl:lnk_file read; allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) ')