From 847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12 Mon Sep 17 00:00:00 2001 From: Jorge Lucangeli Obes <jorgelo@google.com> Date: Mon, 31 Oct 2016 16:29:34 -0400 Subject: [PATCH] init: Allow SETPCAP for dropping bounding set. This is required for https://android-review.googlesource.com/#/c/295748 so that init can drop the capability bounding set for services. Bug: 32438163 Test: With 295748 and a test service using ambient capabilities. Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065 --- public/init.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/init.te b/public/init.te index 16bafc31d..a029219ad 100644 --- a/public/init.te +++ b/public/init.te @@ -246,8 +246,8 @@ allow init vold_data_file:file { getattr }; allow init shell_data_file:dir { open create read getattr setattr search }; allow init shell_data_file:file { getattr }; -# Set UID and GID for services. -allow init self:capability { setuid setgid }; +# Set UID, GID, and adjust capability bounding set for services. +allow init self:capability { setuid setgid setpcap }; # For bootchart to read the /proc/$pid/cmdline file of each process, # we need to have following line to allow init to have access -- GitLab