From de2696eb721761eb0dac1f689325e98a8774b351 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 23 Mar 2022 11:53:35 +0800
Subject: [PATCH] enforce debugfs constraint on userdebug build

Bug: 225815474
Test: build pass
Change-Id: If9e32d4b67c342b56eea39701518a520a62df199
---
 tracking_denials/hardware_info_app.te | 2 ++
 tracking_denials/vendor_init.te       | 2 ++
 whitechapel_pro/dumpstate.te          | 1 -
 whitechapel_pro/hardware_info_app.te  | 6 ------
 4 files changed, 4 insertions(+), 7 deletions(-)
 create mode 100644 tracking_denials/hardware_info_app.te

diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
new file mode 100644
index 00000000..2975d243
--- /dev/null
+++ b/tracking_denials/hardware_info_app.te
@@ -0,0 +1,2 @@
+# b/208909060
+dontaudit hardware_info_app vendor_maxfg_debugfs:dir search;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
index 0bcad4ed..1652b7a1 100644
--- a/tracking_denials/vendor_init.te
+++ b/tracking_denials/vendor_init.te
@@ -2,4 +2,6 @@
 dontaudit vendor_init thermal_link_device:file { create };
 # b/221384939
 dontaudit vendor_init vendor_battery_defender_prop:property_service { set };
+# b/226271913
+dontaudit vendor_init vendor_maxfg_debugfs:file setattr;
 
diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te
index 5caeac78..8ff47509 100644
--- a/whitechapel_pro/dumpstate.te
+++ b/whitechapel_pro/dumpstate.te
@@ -4,7 +4,6 @@ dump_hal(hal_telephony)
 dump_hal(hal_uwb_vendor)
 
 userdebug_or_eng(`
-  allow dumpstate vendor_dmabuf_debugfs:file r_file_perms;
   allow dumpstate media_rw_data_file:file append;
 ')
 
diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te
index 38f79c80..751bb885 100644
--- a/whitechapel_pro/hardware_info_app.te
+++ b/whitechapel_pro/hardware_info_app.te
@@ -22,11 +22,5 @@ allow hardware_info_app sysfs_display:file r_file_perms;
 allow hardware_info_app sysfs_soc:file r_file_perms;
 allow hardware_info_app sysfs_chip_id:file r_file_perms;
 
-# Fuel
-userdebug_or_eng(`
-  allow hardware_info_app vendor_maxfg_debugfs:dir search;
-  allow hardware_info_app vendor_maxfg_debugfs:file r_file_perms;
-')
-
 # Batery history
 allow hardware_info_app battery_history_device:chr_file r_file_perms;