Explicitly specify capabilities of root services in microdroid
This is a semi-automatic change to simply specify the capabilities that
these services have according to the sepolicy.
List of capabilities for each service was obtained by running:
`sesearch --allow -c capability,capability2 /tmp/microdroid-policy`
The policy specifies that all processes have CAP_AUDIT_CONTROL, but it
doesn't seem to be actually required, so it's omitted from the service
definitions.
Also switch tombstone_transmit to run as system user.
Test: presubmit
Test: atest --test-mapping packages/modules/Virtualization:avf-presubmit
Test: run demo app and verify capabilities of microdroid_launcher
Test: atest com.android.microdroid.test.MicrodroidTestCase#testTombstonesAreGeneratedUponCrash
Bug: 243633980
Bug: 249796710
Change-Id: I19b0cefb07fc7480b3f9dc05cb708a899489fe65
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 47002c9..8b2bbdb 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -177,7 +177,7 @@
mkdir /data/local/tmp 0771 shell shell
service tombstone_transmit /system/bin/tombstone_transmit.microdroid -cid 2 -port 2000 -remove_tombstones_after_transmitting
- user root
+ user system
group system
shutdown critical
@@ -186,12 +186,14 @@
group system
oneshot
disabled
+ capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER SYS_ADMIN
service ueventd /system/bin/ueventd
class core
critical
seclabel u:r:ueventd:s0
shutdown critical
+ capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD NET_ADMIN SETGID SETUID SYS_MODULE SYS_RAWIO
service console /system/bin/sh
class core