I'd like to add a module which could be something like /system/bin/mymodule and surely I need customization sepolicy for this with defining its context and write the policy
And I know since Android 8 it brings Treble with limitations and I likely just modify the sepolicy under device/manufacturer/device-name/sepolicy which I could add mymodule.te file and maybe something like
type mymodule, domain;
type mymodule_exec, exec_type, file_type;
init_daemon_domain(mymodule)
But in my situation, it may break the neverallow sepolicy under system/sepolicy/private/domain.te , So maybe I need modify it with something neverallow { -mymodule }
But in my concern this may violate the android treble thing, And maybe make fails to pass the CTS?
So the question is Was my concern right? And if it right Is there some other way I could pass this neverallow sepolicy?
system/sepolicy/public/attributes defines many domains for different usage, such as appdomain for normal apps, netdomain for apps need network access, and etc. Maybe you should change the correct domain for your module, based on your module's operation. In many cases, it will satisfy your demand.