cppreopts: remove DAC capabilities

Define service for cppreopts.sh in order to drop DAC capabilities for
for it and its children. Capabilities were already blocked by SELinux
so this does not cause a functional change, but rather shifts the
blocking mechanism to the DAC capability check which fails less
noisily. Otherwise, this change is intended to preserve the previous
behavior and uses "exec_start" to presever the blocking behavior of
"exec".

This prevents an selinux denial which is causing occasional presubmit
failures:
avc: denied { sys_resource } for comm="preopt2cachenam" capability=24
scontext=u:r:preopt2cachename:s0 tcontext=u:r:preopt2cachename:s0
tclass=capability permissive=0

Bug: 79414024
Test: Boot a phone with the cppreopts feature. Verify no logcat errors and all
the files are copied to the location given by preopt2cachename.
Change-Id: If630b53d32c3c0414939b1f8db8d486406003567

1 files changed, 7 insertions, 1 deletions

diff --git a/cppreopts/cppreopts.rc b/cppreopts/cppreopts.rc
index e29a73ab..4ce04c51 100644
--- a/cppreopts/cppreopts.rc
+++ b/cppreopts/cppreopts.rc
@@ -12,9 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+service cppreopts /system/bin/cppreopts.sh /postinstall
+    oneshot
+    disabled
+    user root
+    capabilities
+
 on property:sys.cppreopt=requested
     mount_all /system/etc/fstab.postinstall
-    exec - root -- /system/bin/cppreopts.sh /postinstall
+    exec_start cppreopts
     # Optional script to copy additional preloaded content to data directory
     exec - system system -- /system/bin/preloads_copy.sh /postinstall
     umount /postinstall