Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3c587db5 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

derive_sdk: run as nobody 

Unfortunately, root is the default user/group for
init-launched services. This can lead to processes
unnecessarily requesting permissions like privileged
capabilities. This service doesn't require any privileges
so run it as AID_NOBODY.

Addresses:
avc: denied { sys_resource } for comm=\"derive_sdk\" capability=24
scontext=u:r:derive_sdk:s0 tcontext=u:r:derive_sdk:s0
tclass=capability permissive=0

Bug: 154711554
Test: m com.android.sdkext
Test: boot && adb shell getprop | grep sdk_info
Change-Id: Ibd4ad616901a9d5c402ba89d636d0238b0043afa
parent bbb5a3c7

apex/sdkextensions/derive_sdk/derive_sdk.rc

+2 −0
Original line number Diff line number Diff line 
service derive_sdk /apex/com.android.sdkext/bin/derive_sdk

    user nobody

    group nobody

    oneshot

    disabled