Restorecon /microdroid_resources in setup_selinux
The main reason for running restorecon of /microdroid_resources during
the setup_selinux stage is to avoid granting init some weird permissions
like `allow init tmpfs:file relabelfrom;`.
Instead we add such permissions to kernel domain in which setup_selinux
runs. This feels better since kernel domain already has similar
permissions like `allow kernel rootfs:file relabelfrom;`.
Bug: 287593065
Test: run microdroid vm with vendor partition
Change-Id: I82ef5499392e90f53655f7582e887d0b6cb3a5f0
diff --git a/init/selinux.cpp b/init/selinux.cpp
index e191b60..c2d9b8d 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -66,6 +66,7 @@
#include <android-base/result.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
+#include <android/avf_cc_flags.h>
#include <fs_avb/fs_avb.h>
#include <fs_mgr.h>
#include <libgsi/libgsi.h>
@@ -702,6 +703,15 @@
SelinuxSetEnforcement();
+ if (IsMicrodroid() && android::virtualization::IsOpenDiceChangesFlagEnabled()) {
+ // We run restorecon of /microdroid_resources while we are still in kernel context to avoid
+ // granting init `tmpfs:file relabelfrom` capability.
+ const int flags = SELINUX_ANDROID_RESTORECON_RECURSE;
+ if (selinux_android_restorecon("/microdroid_resources", flags) == -1) {
+ PLOG(FATAL) << "restorecon of /microdroid_resources failed";
+ }
+ }
+
// We're in the kernel domain and want to transition to the init domain. File systems that
// store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
// but other file systems do. In particular, this is needed for ramdisks such as the