From 847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12 Mon Sep 17 00:00:00 2001
From: Jorge Lucangeli Obes <jorgelo@google.com>
Date: Mon, 31 Oct 2016 16:29:34 -0400
Subject: [PATCH] init: Allow SETPCAP for dropping bounding set.

This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.

Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
---
 public/init.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/init.te b/public/init.te
index 16bafc31d..a029219ad 100644
--- a/public/init.te
+++ b/public/init.te
@@ -246,8 +246,8 @@ allow init vold_data_file:file { getattr };
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
 
-# Set UID and GID for services.
-allow init self:capability { setuid setgid };
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:capability { setuid setgid setpcap };
 
 # For bootchart to read the /proc/$pid/cmdline file of each process,
 # we need to have following line to allow init to have access
-- 
GitLab