Flag guard canned_fs_config_sys_nice
Guard using canned_fs_config_sys_nice behind
RELEASE_AVF_ENABLE_VIRT_CPUFREQ flag, which allows for elevated SYS_NICE
permissions when running crosvm.
Test: m, tested with flag on/off and checked caps were applied
correctly.
Bug: 322197421
Change-Id: I35f87d23445d1c2583bd3888a6ff242b1c55992d
Signed-off-by: David Dai <davidai@google.com>
diff --git a/apex/Android.bp b/apex/Android.bp
index 7cc0414..cc59b16 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -41,10 +41,12 @@
"release_avf_enable_llpvm_changes",
"release_avf_enable_remote_attestation",
"release_avf_enable_vendor_modules",
+ "release_avf_enable_virt_cpufreq",
],
properties: [
"androidManifest",
"arch",
+ "canned_fs_config",
"prebuilts",
"systemserverclasspath_fragments",
"vintf_fragments",
@@ -68,7 +70,6 @@
],
file_contexts: ":com.android.virt-file_contexts",
- canned_fs_config: "canned_fs_config",
bootclasspath_fragments: [
"com.android.virt-bootclasspath-fragment",
@@ -90,6 +91,12 @@
"com.android.virt-systemserver-fragment",
],
},
+ release_avf_enable_virt_cpufreq: {
+ canned_fs_config: "canned_fs_config_sys_nice",
+ conditions_default: {
+ canned_fs_config: "canned_fs_config",
+ },
+ },
},
}
diff --git a/apex/canned_fs_config_sys_nice b/apex/canned_fs_config_sys_nice
new file mode 100644
index 0000000..5b12eb5
--- /dev/null
+++ b/apex/canned_fs_config_sys_nice
@@ -0,0 +1,2 @@
+/bin/virtualizationservice 0 2000 0755 capabilities=0x1000001 # CAP_CHOWN, CAP_SYS_RESOURCE
+/bin/crosvm 0 3013 0755 capabilities=0x800000 # SYS_NICE