Run tlsdated as root.

This is actually needed so it can drop privileges shortly after
starting.

Bug: 22373707
Change-Id: Ie114a96b80bc5e50525411904c1266fa7072ded0

2 files changed, 8 insertions, 17 deletions

diff --git a/Android.mk b/Android.mk
index 2404ef4..0e49796 100644
--- a/Android.mk
+++ b/Android.mk
@@ -79,6 +79,7 @@ include $(BUILD_NATIVE_TEST)
 
 include $(CLEAR_VARS)
 LOCAL_MODULE := tlsdated
+LOCAL_INIT_RC := init/tlsdated.rc
 LOCAL_REQUIRED_MODULES := tlsdated.rc
 LOCAL_SRC_FILES := $(tlsdate_tlsdated_sources)
 LOCAL_CFLAGS := -DTLSDATED_MAIN
@@ -95,20 +96,3 @@ LOCAL_SRC_FILES := \
 LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
 $(eval $(tlsdate_common))
 include $(BUILD_NATIVE_TEST)
-
-
-ifdef INITRC_TEMPLATE
-include $(CLEAR_VARS)
-LOCAL_MODULE := tlsdated.rc
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_INITRCD)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-.PHONY: $(LOCAL_BUILT_MODULE)
-$(LOCAL_BUILT_MODULE): my_args := \
-  -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l
-$(LOCAL_BUILT_MODULE): my_groups := inet
-$(LOCAL_BUILT_MODULE): $(INITRC_TEMPLATE)
-	$(call generate-initrc-file,tlsdated,$(my_args),$(my_groups))
-endif
diff --git a/init/tlsdated.rc b/init/tlsdated.rc
new file mode 100644
index 0000000..3a3a74a
--- /dev/null
+++ b/init/tlsdated.rc
@@ -0,0 +1,7 @@
+# Init file for starting tlsdated on Android.
+service tlsdated /system/bin/tlsdated -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l
+    class main
+    # This daemon needs to start as root and drops privileges early on.
+    user root
+    group system
+    seclabel u:r:brillo:s0