make init_gsi its own domain

..so that we are no longer violating Treble SELinux checks
2021-10-15 12:53:36 -04:00 · 2021-10-15 12:53:36 -04:00 · 3e3c06374d
parent f4a2675011
commit 3e3c06374d
5 changed files with 9 additions and 3 deletions
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@ -8,4 +8,3 @@ TARGET_SYSTEM_PROP := $(DEVICE_PATH)/system.prop

 # Sepolicy
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
-SELINUX_IGNORE_NEVERALLOWS := true
--- a/init/init_gsi.rc
+++ b/init/init_gsi.rc
@ -1,2 +1,2 @@
 on post-fs
-    exec u:r:init:s0 -- /system_ext/bin/init_gsi
+    exec -- /system_ext/bin/init_gsi
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@ -0,0 +1 @@
+/system/system_ext/bin/init_gsi        u:object_r:init_gsi_exec:s0
--- a/sepolicy/private/init.te
+++ b/sepolicy/private/init.te
@ -1 +0,0 @@
-allow init system_file:file execute_no_trans;
--- a/sepolicy/private/init_gsi.te
+++ b/sepolicy/private/init_gsi.te
@ -0,0 +1,7 @@
+type init_gsi, domain, coredomain;
+type init_gsi_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(init_gsi);
+
+# TODO: Address denials and remove this
+permissive init_gsi;
				`@ -0,0 +1 @@`
				`/system/system_ext/bin/init_gsi u:object_r:init_gsi_exec:s0`
				`@ -1 +0,0 @@`
				`allow init system_file:file execute_no_trans;`