Enforce debugfs restrictions for S launching devices and newer

Starting with Android R, debugfs cannot be mounted on production devices. In order to minimize the differences w.r.t debugfs between user and userdebug/eng builds, enforce a set of run-time and build-time restrictions on debugfs access for S launch devices and newer. For non-user builds, debugfs can still be accessed by root and by the dumpstate HAL during bugreport collection. Bug: 184381659 Test: build/boot Change-Id: I2af49acd8a5b3440c6ecbf365ab43cdb33ff897a
2021-04-07 10:37:39 -07:00 · 2021-04-07 10:37:39 -07:00 · 408d898a43
parent ffa65ba8f0
commit 408d898a43
1 changed files with 8 additions and 0 deletions
--- a/core/product_config.mk
+++ b/core/product_config.mk
@ -359,6 +359,14 @@ ifeq ($(PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS),)
  endif
 endif

+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),)
+  ifdef PRODUCT_SHIPPING_API_LEVEL
+    ifeq (true,$(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),31))
+      PRODUCT_SET_DEBUGFS_RESTRICTIONS := true
+    endif
+  endif
+endif
+
 ifdef PRODUCT_SHIPPING_API_LEVEL
  ifneq (,$(call math_gt_or_eq,29,$(PRODUCT_SHIPPING_API_LEVEL)))
    PRODUCT_PACKAGES += $(PRODUCT_PACKAGES_SHIPPING_API_LEVEL_29)