diff options
| author | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2024-02-27 16:48:25 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2024-02-27 16:48:25 +0000 |
| commit | 6163cfb24c33f8ff9306d70863e2b4782b8225a9 (patch) | |
| tree | 9a2f88024bb5011f5353286e1532f838c6baee0c | |
| parent | 0bd02381ce46fd033d933a820e5e124e76ded964 (diff) | |
| parent | 94646d7d190918036401fd4d63b44a9d357bc7d1 (diff) | |
| download | security-6163cfb24c33f8ff9306d70863e2b4782b8225a9.tar.gz | |
Merge "Grant SYS_NICE for odsign" into main am: 94646d7d19
Original change: https://android-review.googlesource.com/c/platform/system/security/+/2978554
Change-Id: I3a048996462d0cff6073b709d68a88d4b00c0c33
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | ondevice-signing/odsign.rc | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc index b96c62ff..b95cf9db 100644 --- a/ondevice-signing/odsign.rc +++ b/ondevice-signing/odsign.rc @@ -3,13 +3,10 @@ service odsign /system/bin/odsign user root group system disabled # does not start with the core class - # Explicitly specify empty capabilities, otherwise odsign will inherit all - # the capabilities from init. - # Note: whether a process can use capabilities is controlled by SELinux, so - # inheriting all the capabilities from init is not a security issue. - # However, for defense-in-depth and just for the sake of bookkeeping it's - # better to explicitly state that odsign doesn't need any capabilities. - capabilities + # We need SYS_NICE in order to allow the crosvm child process to use it. + # (b/322197421). odsign itself never uses it (and isn't allowed to by + # SELinux). + capabilities SYS_NICE # Note that odsign is not oneshot, but stopped manually when it exits. This # ensures that if odsign crashes during a module update, apexd will detect |