From 986d0bd3c02bfbe7f516d236eb4ef1012c88dc4a Mon Sep 17 00:00:00 2001
From: Hridya Valsaraju <hridya@google.com>
Date: Fri, 2 Apr 2021 11:33:45 -0700
Subject: [PATCH] sdm660-common: Set PRODUCT_SET_DEBUGFS_RESTRICTIONS

Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, the
build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS can be set by vendors to
enforce additional debugfs restrictions for userdebug/eng builds. The
same flag will be used to enable sepolicy neveallow statements to
prevent new permissions added for debugfs access.

Test: build, boot
Bug: 184381659
Change-Id: I45e6f20c886d467a215c9466f3a09965ff897d7e
Signed-off-by: pix106 <sbordenave@gmail.com>
---
 sdm660.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdm660.mk b/sdm660.mk
index 92ac45fc..ccce007d 100644
--- a/sdm660.mk
+++ b/sdm660.mk
@@ -161,6 +161,9 @@ PRODUCT_COPY_FILES += \
     frameworks/native/data/etc/android.hardware.consumerir.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.consumerir.xml
 endif
 
+# DebugFS
+PRODUCT_SET_DEBUGFS_RESTRICTIONS := true
+
 # Display
 PRODUCT_PACKAGES += \
     android.frameworks.displayservice@1.0 \