Add early_virtmgr
early_virtmgr will serve early VMs available before /data mount.
early_virtmgr will use a separate domain from virtmgr because early VMs
and regular VMs differ.
Bug: 354059066
Test: build and check the label for early_virtmgr
Change-Id: If47899da03697302802d7cca5cbdb2c834715405
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index d8fc8df..75f9c10 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -9,3 +9,6 @@
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
/bin/vmnic u:object_r:vmnic_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ /bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
+')
diff --git a/flagging/Android.bp b/flagging/Android.bp
index ce20323..5117fab 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -18,6 +18,7 @@
name: "aosp_selinux_flags",
flags: [
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
+ "RELEASE_AVF_ENABLE_EARLY_VM",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
new file mode 100644
index 0000000..4e332f6
--- /dev/null
+++ b/private/early_virtmgr.te
@@ -0,0 +1,8 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+
+ use_bootstrap_libs(early_virtmgr)
+')