wembley: sepolicy: allow init to mount debugfs in userdebug builds

In Android S, debugfs will be mounted by init to enable boot time initializations to set up debug data collection and unmounted after boot. This change will help debug builds with keeping debugfs disabled during run time. Bug: 176936478 Test: make Change-Id: I4dacf374a9b85a000802ee6a8d00458aecb84404
author: Hridya Valsaraju <hridya@google.com> 2021-01-08 22:17:05 -0800
committer: Hridya Valsaraju <hridya@google.com> 2021-01-08 22:19:47 -0800
commit: 3d758d17dedf13141d0de41ca37cc08a3f18f345 (patch)
tree: a3d5a926df5f177a4fdbb8c5d62d3e5bdeb1bfb8
parent: 41469e15a85f439dd190a93387c5e4b05b8adb37 (diff)
download: wembley-sepolicy-3d758d17dedf13141d0de41ca37cc08a3f18f345.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/neverallows/plat_public/neverallows.te b/neverallows/plat_public/neverallows.te
index a033c6f..a11a4bf 100644
--- a/neverallows/plat_public/neverallows.te
+++ b/neverallows/plat_public/neverallows.te
@@ -132,7 +132,7 @@ full_treble_only(`
     vendor_init
     } debugfs:dir ~{ search getattr };
 
-  neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto };
+  neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') };
 
   neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
 ')
author	Hridya Valsaraju <hridya@google.com>	2021-01-08 22:17:05 -0800
committer	Hridya Valsaraju <hridya@google.com>	2021-01-08 22:19:47 -0800
commit	3d758d17dedf13141d0de41ca37cc08a3f18f345 (patch)
tree	a3d5a926df5f177a4fdbb8c5d62d3e5bdeb1bfb8
parent	41469e15a85f439dd190a93387c5e4b05b8adb37 (diff)
download	wembley-sepolicy-3d758d17dedf13141d0de41ca37cc08a3f18f345.tar.gz