Fix comment to match code Bug: 322197421 Test: N/A Change-Id: Iaabbbeec96f5f34c0472dd5f604cc787dc84344f

commit: a8c56f01bf3ab026ca3984890c0daf4e6c88c31c [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Feb 08 09:40:51 2024 +0000
committer: Alan Stokes <alanstokes@google.com> Thu Feb 08 09:40:51 2024 +0000
tree: b7d9636fa279d5561aac5e7da9a2c6e7590c6fc2
parent: 30a5443aa27a0db6b255a6ea151e8d4dfa4434f9 [diff]
diff --git a/compos/apex/composd.rc b/compos/apex/composd.rc
index aa4b575..55f3737 100644
--- a/compos/apex/composd.rc
+++ b/compos/apex/composd.rc

@@ -19,10 +19,7 @@
     interface aidl android.system.composd
     disabled
     oneshot
-    # Explicitly specify empty capabilities, otherwise composd will inherit all
-    # the capabilities from init.
-    # Note: whether a process can use capabilities is controlled by SELinux, so
-    # inheriting all the capabilities from init is not a security issue.
-    # However, for defense-in-depth and just for the sake of bookkeeping it's
-    # better to explicitly state that composd doesn't need any capabilities.
+    # We need SYS_NICE in order to allow the crosvm child process to use it.
+    # (b/322197421). composd itself never uses it (and isn't allowed to by
+    # SELinux).
     capabilities SYS_NICE
commit	a8c56f01bf3ab026ca3984890c0daf4e6c88c31c	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Feb 08 09:40:51 2024 +0000
committer	Alan Stokes <alanstokes@google.com>	Thu Feb 08 09:40:51 2024 +0000
tree	b7d9636fa279d5561aac5e7da9a2c6e7590c6fc2
parent	30a5443aa27a0db6b255a6ea151e8d4dfa4434f9 [diff]