diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2019-02-23 06:08:43 -0800 |
---|---|---|
committer | Jeffrey Vander Stoep <jeffv@google.com> | 2019-02-25 20:15:44 +0000 |
commit | c15906449b34fd0e93bd3873ddca9fd963b63c0a (patch) | |
tree | 6f8c748c5fef1343009fce8c6df8b42068ecd095 /cppreopts | |
parent | ecb8e06a5319b7467bc5f0a5a79c3cddfd7943f5 (diff) | |
download | extras-c15906449b34fd0e93bd3873ddca9fd963b63c0a.tar.gz |
cppreopts: remove DAC capabilities
Define service for cppreopts.sh in order to drop DAC capabilities for
for it and its children. Capabilities were already blocked by SELinux
so this does not cause a functional change, but rather shifts the
blocking mechanism to the DAC capability check which fails less
noisily. Otherwise, this change is intended to preserve the previous
behavior and uses "exec_start" to presever the blocking behavior of
"exec".
This prevents an selinux denial which is causing occasional presubmit
failures:
avc: denied { sys_resource } for comm="preopt2cachenam" capability=24
scontext=u:r:preopt2cachename:s0 tcontext=u:r:preopt2cachename:s0
tclass=capability permissive=0
Bug: 79414024
Test: Boot a phone with the cppreopts feature. Verify no logcat errors and all
the files are copied to the location given by preopt2cachename.
Change-Id: If630b53d32c3c0414939b1f8db8d486406003567
Diffstat (limited to 'cppreopts')
-rw-r--r-- | cppreopts/cppreopts.rc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/cppreopts/cppreopts.rc b/cppreopts/cppreopts.rc index e29a73ab..4ce04c51 100644 --- a/cppreopts/cppreopts.rc +++ b/cppreopts/cppreopts.rc @@ -12,9 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. +service cppreopts /system/bin/cppreopts.sh /postinstall + oneshot + disabled + user root + capabilities + on property:sys.cppreopt=requested mount_all /system/etc/fstab.postinstall - exec - root -- /system/bin/cppreopts.sh /postinstall + exec_start cppreopts # Optional script to copy additional preloaded content to data directory exec - system system -- /system/bin/preloads_copy.sh /postinstall umount /postinstall |