Merge "Grant SYS_NICE for odsign" into main

2024-02-27 15:50:00 +00:00 · 2024-02-27 15:50:00 +00:00 · 94646d7d19
commit 94646d7d19
parent cbae97c988 c8e0cac014
1 changed files with 4 additions and 7 deletions
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@ -3,13 +3,10 @@ service odsign /system/bin/odsign
    user root
    group system
    disabled # does not start with the core class
-    # Explicitly specify empty capabilities, otherwise odsign will inherit all
-    # the capabilities from init.
-    # Note: whether a process can use capabilities is controlled by SELinux, so
-    # inheriting all the capabilities from init is not a security issue.
-    # However, for defense-in-depth and just for the sake of bookkeeping it's
-    # better to explicitly state that odsign doesn't need any capabilities.
-    capabilities
+    # We need SYS_NICE in order to allow the crosvm child process to use it.
+    # (b/322197421). odsign itself never uses it (and isn't allowed to by
+    # SELinux).
+    capabilities SYS_NICE

 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect