From c8e0cac0145fc3b5647f37d46a3d84d8ae68b297 Mon Sep 17 00:00:00 2001 From: David Dai Date: Mon, 26 Feb 2024 15:54:06 -0800 Subject: Grant SYS_NICE for odsign Grant sys_nice capabilities to odsign so that it can spawn VMs with sys_nice enabled which is used by compos_verify. Bug:326557850 Test: atest odsign_e2e_tests_full Change-Id: I9f502b997123faf9bc5a8e04f416726ea8001e41 Signed-off-by: David Dai --- ondevice-signing/odsign.rc | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc index b96c62ff..b95cf9db 100644 --- a/ondevice-signing/odsign.rc +++ b/ondevice-signing/odsign.rc @@ -3,13 +3,10 @@ service odsign /system/bin/odsign user root group system disabled # does not start with the core class - # Explicitly specify empty capabilities, otherwise odsign will inherit all - # the capabilities from init. - # Note: whether a process can use capabilities is controlled by SELinux, so - # inheriting all the capabilities from init is not a security issue. - # However, for defense-in-depth and just for the sake of bookkeeping it's - # better to explicitly state that odsign doesn't need any capabilities. - capabilities + # We need SYS_NICE in order to allow the crosvm child process to use it. + # (b/322197421). odsign itself never uses it (and isn't allowed to by + # SELinux). + capabilities SYS_NICE # Note that odsign is not oneshot, but stopped manually when it exits. This # ensures that if odsign crashes during a module update, apexd will detect -- cgit v1.2.3