Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6b7311fc authored by Hridya Valsaraju's avatar Hridya Valsaraju
Browse files

Use property ro.product.enforce_debugfs_restrictions to enable debugfs 

restrictions

Use the property ro.product.enforce_debugfs_restrictions to enable
debugfs restrictions instead of checking the launch API level. Vendors
can enable build-time as well as run-time debugfs restrictions by
setting the build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS true which in
turn sets ro.product.enforce_debugfs_restrictions true as well enables
sepolicy neverallow restrictions that prevent debugfs access. The
intention of the build flag is to prevent debugfs dependencies from
creeping in during development on userdebug/eng builds.

Test: build and boot
Bug: 184381659
Change-Id: If555037f973e6e4f35eb7312637f58e8360c3013
parent 007d7941

init/init.cpp

+0 −15
Original line number Diff line number Diff line
@@ -849,21 +849,6 @@ int SecondStageMain(int argc, char** argv) { 
    auto is_installed = android::gsi::IsGsiInstalled() ? "1" : "0";

    SetProperty(gsi::kGsiInstalledProp, is_installed);



    /*

     * For debug builds of S launching devices, init mounts debugfs for

     * enabling vendor debug data collection setup at boot time. Init will unmount it on

     * boot-complete after vendor code has performed the required initializations

     * during boot. Dumpstate will then mount debugfs in order to read data

     * from the same using the dumpstate HAL during bugreport creation.

     * Dumpstate will also unmount debugfs after bugreport creation.

     * first_api_level comparison is done here instead

     * of init.rc since init.rc parser does not support >/< operators.

     */

    auto api_level = android::base::GetIntProperty("ro.product.first_api_level", 0);

    bool is_debuggable = android::base::GetBoolProperty("ro.debuggable", false);

    auto mount_debugfs = (is_debuggable && (api_level >= 31)) ? "1" : "0";

    SetProperty("init.mount_debugfs", mount_debugfs);



    am.QueueBuiltinAction(SetupCgroupsAction, "SetupCgroups");

    am.QueueBuiltinAction(SetKptrRestrictAction, "SetKptrRestrict");

    am.QueueBuiltinAction(TestPerfEventSelinuxAction, "TestPerfEventSelinux");

rootdir/init.rc

+2 −2
Original line number Diff line number Diff line
@@ -985,7 +985,7 @@ on boot && property:ro.config.low_ram=true 
    write /proc/sys/vm/dirty_expire_centisecs 200

    write /proc/sys/vm/dirty_background_ratio  5



on property:sys.boot_completed=1 && property:init.mount_debugfs=1

on property:sys.boot_completed=1 && property:ro.product.enforce_debugfs_restrictions=true

   umount /sys/kernel/debug



on boot
@@ -1263,7 +1263,7 @@ on userspace-reboot-resume 
on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1

  setprop sys.init.userspace_reboot.in_progress ""



on early-init && property:init.mount_debugfs=1

on early-init && property:ro.product.enforce_debugfs_restrictions=true

    mount debugfs debugfs /sys/kernel/debug

    chmod 0755 /sys/kernel/debug