Snap for 11504324 from 92e62bcfbf to 24Q2-release

Change-Id: Iad9222ab7c19618596359483bb640b6754b17d55
2024-02-28 00:24:46 +00:00 · 2024-02-28 00:24:46 +00:00 · 4488d3d789
commit 4488d3d789
parent 3e6321a1e4 92e62bcfbf
1 changed files with 4 additions and 7 deletions
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@ -3,13 +3,10 @@ service odsign /system/bin/odsign
    user root
    group system
    disabled # does not start with the core class
-    # Explicitly specify empty capabilities, otherwise odsign will inherit all
-    # the capabilities from init.
-    # Note: whether a process can use capabilities is controlled by SELinux, so
-    # inheriting all the capabilities from init is not a security issue.
-    # However, for defense-in-depth and just for the sake of bookkeeping it's
-    # better to explicitly state that odsign doesn't need any capabilities.
-    capabilities
+    # We need SYS_NICE in order to allow the crosvm child process to use it.
+    # (b/322197421). odsign itself never uses it (and isn't allowed to by
+    # SELinux).
+    capabilities SYS_NICE

 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect