Merge "odsign: explicitly specify empty capabilities"

commit: eb77cb8b80095652c4d039ca654a2ff0f285734f [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Wed Jan 04 11:53:03 2023 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jan 04 11:53:03 2023 +0000
tree: 75d9f9943cf2bf8fa413484b42cebc8fdf1f4bf0
parent: 26d4222e9296885cd1c3ebd47be668350c29d6da [diff]
parent: 03f299012f9d325b4c84a9a5ab670df51875f2fa [diff]
diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc
index de09fc0..b96c62f 100644
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc

@@ -3,6 +3,13 @@
     user root
     group system
     disabled # does not start with the core class
+    # Explicitly specify empty capabilities, otherwise odsign will inherit all
+    # the capabilities from init.
+    # Note: whether a process can use capabilities is controlled by SELinux, so
+    # inheriting all the capabilities from init is not a security issue.
+    # However, for defense-in-depth and just for the sake of bookkeeping it's
+    # better to explicitly state that odsign doesn't need any capabilities.
+    capabilities
 
 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect
commit	eb77cb8b80095652c4d039ca654a2ff0f285734f	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Wed Jan 04 11:53:03 2023 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Jan 04 11:53:03 2023 +0000
tree	75d9f9943cf2bf8fa413484b42cebc8fdf1f4bf0
parent	26d4222e9296885cd1c3ebd47be668350c29d6da [diff]
parent	03f299012f9d325b4c84a9a5ab670df51875f2fa [diff]