Grant SYS_NICE for odsign

Grant sys_nice capabilities to odsign so that it can spawn
VMs with sys_nice enabled which is used by compos_verify.

Bug:326557850
Test: atest odsign_e2e_tests_full
Change-Id: I9f502b997123faf9bc5a8e04f416726ea8001e41
Signed-off-by: David Dai <davidai@google.com>

1 files changed, 4 insertions, 7 deletions

diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc
index b96c62ff..b95cf9db 100644
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@@ -3,13 +3,10 @@ service odsign /system/bin/odsign
     user root
     group system
     disabled # does not start with the core class
-    # Explicitly specify empty capabilities, otherwise odsign will inherit all
-    # the capabilities from init.
-    # Note: whether a process can use capabilities is controlled by SELinux, so
-    # inheriting all the capabilities from init is not a security issue.
-    # However, for defense-in-depth and just for the sake of bookkeeping it's
-    # better to explicitly state that odsign doesn't need any capabilities.
-    capabilities
+    # We need SYS_NICE in order to allow the crosvm child process to use it.
+    # (b/322197421). odsign itself never uses it (and isn't allowed to by
+    # SELinux).
+    capabilities SYS_NICE
 
 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect