sdm710-common: Set PRODUCT_SET_DEBUGFS_RESTRICTIONS

Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, the
build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS can be set by vendors to
enforce additional debugfs restrictions for userdebug/eng builds. The
same flag will be used to enable sepolicy neveallow statements to
prevent new permissions added for debugfs access.

Test: build, boot
Bug: 184381659
Change-Id: I45e6f20c886d467a215c9466f3a09965ff897d7e

rootdir/etc/init.msm.usb.configfs.rc

@@ -1379,15 +1379,3 @@ on property:sys.usb.config=midi && property:sys.usb.configfs=1
 on property:sys.usb.config=midi,adb && property:sys.usb.configfs=1
     write /config/usb_gadget/g1/idVendor 0x18d1
     write /config/usb_gadget/g1/idProduct 0x4ee9
-
-on property:vendor.usb.eud=1
-    write /config/usb_gadget/g1/configs/b.1/MaxPower 1
-    write /sys/module/eud/parameters/enable 1
-    write /sys/kernel/debug/pmic-votable/USB_ICL/force_active 1
-    write /sys/kernel/debug/pmic-votable/USB_ICL/force_val 500
-
-on property:vendor.usb.eud=0
-    write /sys/kernel/debug/pmic-votable/USB_ICL/force_active 0
-    write /sys/kernel/debug/pmic-votable/USB_ICL/force_val 0
-    write /config/usb_gadget/g1/configs/b.1/MaxPower 0
-    write /sys/module/eud/parameters/enable 0

rootdir/etc/init.qcom.post_boot.sh

@@ -101,7 +101,6 @@ if [ $feature_id == 6 ]; then
 	echo 940800000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/min_freq
 	echo 1017600000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/max_freq
 	echo 3 > /sys/class/kgsl/kgsl-3d0/max_pwrlevel
-	echo {class:ddr, res:fixed, val: 1016} > /sys/kernel/debug/aop_send_message
 	setprop vendor.sku_identified 1
 elif [ $feature_id == 5 ]; then
 	echo "SKU Configured : SA6150"
@@ -126,7 +125,6 @@ elif [ $feature_id == 5 ]; then
 	echo 940800000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/min_freq
 	echo 1363200000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/max_freq
 	echo 2 > /sys/class/kgsl/kgsl-3d0/max_pwrlevel
-	echo {class:ddr, res:fixed, val: 1333} > /sys/kernel/debug/aop_send_message
 	setprop vendor.sku_identified 1
 elif [ $feature_id == 4 || $feature_id == 3 ]; then
 	echo "SKU Configured : SA6155"
@@ -151,7 +149,6 @@ elif [ $feature_id == 4 || $feature_id == 3 ]; then
 	echo 940800000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/min_freq
 	echo 1363200000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/max_freq
 	echo 0 > /sys/class/kgsl/kgsl-3d0/max_pwrlevel
-	echo {class:ddr, res:fixed, val: 1555} > /sys/kernel/debug/aop_send_message
 	setprop vendor.sku_identified 1
 else
 	echo "unknown feature_id value" $feature_id
@@ -176,8 +173,7 @@ else
 	echo 940800000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/min_freq
 	echo 1363200000 > /sys/class/devfreq/soc\:qcom,cpu6-cpu-l3-lat/max_freq
 	echo 0 > /sys/class/kgsl/kgsl-3d0/max_pwrlevel
-	echo {class:ddr, res:fixed, val: 1555} > /sys/kernel/debug/aop_send_message
-        setprop vendor.sku_identified 1
+    setprop vendor.sku_identified 1
 fi
 }
 
@@ -5047,12 +5043,6 @@ case "$target" in
         ;;
 esac
 
-case "$target" in
-    "qsd8650a_st1x")
-        mount -t debugfs none /sys/kernel/debug
-    ;;
-esac
-
 chown -h system /sys/devices/system/cpu/cpufreq/ondemand/sampling_rate
 chown -h system /sys/devices/system/cpu/cpufreq/ondemand/sampling_down_factor
 chown -h system /sys/devices/system/cpu/cpufreq/ondemand/io_is_busy

rootdir/etc/init.qcom.rc

@@ -35,20 +35,6 @@ on early-init
     rm /data/resource-cache
     rm /data/system/package_cache
 
-    mount debugfs debugfs /sys/kernel/debug
-    chmod 0755 /sys/kernel/debug
-    chown system system /sys/kernel/debug
-
-  # Change ownership of hw_recovery related nodes
-    chown system graphics /sys/kernel/debug/dri/0/debug/dump
-    chown system graphics /sys/kernel/debug/dri/0/debug/recovery_reg
-    chown system graphics /sys/kernel/debug/dri/0/debug/recovery_dbgbus
-    chown system graphics /sys/kernel/debug/dri/0/debug/recovery_vbif_dbgbus
-
-    # Change ownership of sw_sync node
-    chown system graphics /sys/kernel/debug/sync/sw_sync
-    chmod 0666 /sys/kernel/debug/sync/sw_sync
-
     chown root system /dev/kmsg
     chmod 0620 /dev/kmsg
     # Load WIGIG platform driver
@@ -81,8 +67,6 @@ on init
     write /sys/block/mmcblk0/queue/iostats 0
 
 on post-fs
-    chmod 0755 /sys/kernel/debug/tracing
-
     # Start services for bootanim
     start surfaceflinger
     start bootanim
@@ -153,8 +137,6 @@ on boot
     chown bluetooth bluetooth /sys/module/hci_smd/parameters/hcismd_set
     chown system system /sys/module/msm_core/parameters/polling_interval
     chown system system /sys/module/msm_core/parameters/disabled
-    chown system system /sys/kernel/debug/msm_core/enable
-    chown system system /sys/kernel/debug/msm_core/ptable
     chown system system /sys/kernel/boot_slpi/ssr
     chown system system /sys/module/radio_iris_transport/parameters/fmsmd_set
     chmod 0660 /sys/module/bluetooth_power/parameters/power

sdm710.mk

@@ -257,6 +257,9 @@ PRODUCT_PACKAGES += \
 # HWUI
 HWUI_COMPILE_FOR_PERF := true 
 
+# Kernel
+PRODUCT_SET_DEBUGFS_RESTRICTIONS := true
+
 # Input
 PRODUCT_COPY_FILES += \
     $(LOCAL_PATH)/keylayout/fts_ts.kl:$(TARGET_COPY_OUT_SYSTEM)/usr/keylayout/fts_ts.kl

sepolicy/vendor/file.te

@@ -1,7 +1,6 @@
 type fingerprint_data_file, data_file_type, file_type;
 type thermal_data_file, data_file_type, file_type;
 
-type debugfs_sched_features, debugfs_type, fs_type;
 type proc_sysctl_schedboost, proc_type, fs_type;
 
 type sysfs_fingerprint, sysfs_type, fs_type;

sepolicy/vendor/genfs_contexts

@@ -1,7 +1,6 @@
 genfscon sysfs /power/rpmh_stats/master_stats         u:object_r:sysfs_rpm:s0
 genfscon sysfs /power/system_sleep/stats              u:object_r:sysfs_system_sleep_stats:s0
 
-genfscon debugfs /sched_features                      u:object_r:debugfs_sched_features:s0
 genfscon proc /sys/kernel/sched_boost                 u:object_r:proc_sysctl_schedboost:s0
 
 # DT2W

sepolicy/vendor/hal_power_default.te

@@ -16,7 +16,6 @@ allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 allow hal_power_default device_latency:chr_file rw_file_perms;
 allow hal_power_default cgroup:dir search;
 allow hal_power_default cgroup:file rw_file_perms;
-allow hal_power_default debugfs_sched_features:file rw_file_perms;
 allow hal_power_default proc_sysctl_schedboost:file rw_file_perms;
 
 # Allow power hal to talk to mm-pp-daemon to control display lpm

sepolicy/vendor/init.te

@@ -5,5 +5,4 @@ allow init self:netlink_route_socket rw_socket_perms_no_ioctl;
 allow init self:rawip_socket create_socket_perms_no_ioctl;
 allow init socket_device:sock_file { unlink setattr create };
 
-allow init debugfs_tracing_debug:dir mounton;
 allow init proc:file write;

sepolicy/vendor/ueventd.te

@@ -1,4 +0,0 @@
-allow ueventd debugfs:dir { getattr open read relabelfrom };
-allow ueventd { debugfs debugfs_wakeup_sources }:file getattr;
-allow ueventd qti_debugfs:dir relabelto;
-allow ueventd { debugfs debugfs_sched_features }:file getattr;