neverallow debugfs access

Don't allow access to the generic debugfs label. Instead, force relabeling to a more specific type. system_server and dumpstate are excluded from this until I have time to fix them. Tighten up the neverallow rules for untrusted_app. It should never be reading any file on /sys/kernel/debug, regardless of the label. Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa

neverallow debugfs access
96b1c9ca · Nick Kralevich · cf7ee8a8 · 96b1c9ca · 96b1c9ca
Commit 96b1c9ca authored 9 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set;
 # $ grep mydaemon file_contexts
 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
 neverallow domain domain:file { execute execute_no_trans entrypoint };
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *;
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs:file read;
+neverallow untrusted_app debugfs_type:file read;
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering