diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc
index b96c62ff..b95cf9db 100644
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@@ -3,13 +3,10 @@ service odsign /system/bin/odsign
     user root
     group system
     disabled # does not start with the core class
-    # Explicitly specify empty capabilities, otherwise odsign will inherit all
-    # the capabilities from init.
-    # Note: whether a process can use capabilities is controlled by SELinux, so
-    # inheriting all the capabilities from init is not a security issue.
-    # However, for defense-in-depth and just for the sake of bookkeeping it's
-    # better to explicitly state that odsign doesn't need any capabilities.
-    capabilities
+    # We need SYS_NICE in order to allow the crosvm child process to use it.
+    # (b/322197421). odsign itself never uses it (and isn't allowed to by
+    # SELinux).
+    capabilities SYS_NICE
 
 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect