From 3e3c06374df78d69b5114d03578d1d0e44953135 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Fri, 15 Oct 2021 12:53:36 -0400 Subject: [PATCH] make init_gsi its own domain ..so that we are no longer violating Treble SELinux checks --- BoardConfigCommon.mk | 1 - init/init_gsi.rc | 2 +- sepolicy/private/file_contexts | 1 + sepolicy/private/init.te | 1 - sepolicy/private/init_gsi.te | 7 +++++++ 5 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 sepolicy/private/file_contexts delete mode 100644 sepolicy/private/init.te create mode 100644 sepolicy/private/init_gsi.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 4040420..ca8fa77 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -8,4 +8,3 @@ TARGET_SYSTEM_PROP := $(DEVICE_PATH)/system.prop # Sepolicy SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private -SELINUX_IGNORE_NEVERALLOWS := true diff --git a/init/init_gsi.rc b/init/init_gsi.rc index f7ae309..9dcbb56 100644 --- a/init/init_gsi.rc +++ b/init/init_gsi.rc @@ -1,2 +1,2 @@ on post-fs - exec u:r:init:s0 -- /system_ext/bin/init_gsi + exec -- /system_ext/bin/init_gsi diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts new file mode 100644 index 0000000..44409c4 --- /dev/null +++ b/sepolicy/private/file_contexts @@ -0,0 +1 @@ +/system/system_ext/bin/init_gsi u:object_r:init_gsi_exec:s0 diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te deleted file mode 100644 index 492567e..0000000 --- a/sepolicy/private/init.te +++ /dev/null @@ -1 +0,0 @@ -allow init system_file:file execute_no_trans; diff --git a/sepolicy/private/init_gsi.te b/sepolicy/private/init_gsi.te new file mode 100644 index 0000000..90229c1 --- /dev/null +++ b/sepolicy/private/init_gsi.te @@ -0,0 +1,7 @@ +type init_gsi, domain, coredomain; +type init_gsi_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(init_gsi); + +# TODO: Address denials and remove this +permissive init_gsi;