From e85b2addca10de56b18b0edee386281a0f2fcc6b Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Thu, 9 Aug 2018 10:40:33 -0700
Subject: [PATCH] init: clarify comment for the restorecon of second stage init

Test: we actually do need this restorecon for recovery.
Change-Id: I46a8d6ea5c08b18d79fa6dd8df0f4a98695363e2
---
 init/init_first_stage.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/init/init_first_stage.cpp b/init/init_first_stage.cpp
index b367f2a79..466cde332 100644
--- a/init/init_first_stage.cpp
+++ b/init/init_first_stage.cpp
@@ -138,9 +138,10 @@ int main(int argc, char** argv) {
     SelinuxSetupKernelLogging();
     SelinuxInitialize();
 
-    // Unneeded?  It's an ext4 file system so shouldn't it have the right domain already?
-    // We're in the kernel domain, so re-exec init to transition to the init domain now
-    // that the SELinux policy has been loaded.
+    // We're in the kernel domain and want to transition to the init domain when we exec second
+    // stage init.  File systems that store SELabels in their xattrs, such as ext4 do not need an
+    // explicit restorecon here, but other file systems do.  In particular, this is needed for
+    // ramdisks such as the recovery image for A/B devices.
     if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
         PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
     }