init: Allow SETPCAP for dropping bounding set. This is required for https://android-review.googlesource.com/#/c/295748 so that init can drop the capability bounding set for services. Bug: 32438163 Test: With 295748 and a test service using ambient capabilities. Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065

commit: 847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12 [log] [tgz]
author: Jorge Lucangeli Obes <jorgelo@google.com> Mon Oct 31 16:29:34 2016 -0400
committer: Jorge Lucangeli Obes <jorgelo@google.com> Tue Nov 01 14:32:13 2016 -0400
tree: 73404a4c7292f0e0b806961b95221128781654a3
parent: e112faeaa8692a4f27cb585d79dd629f65ecef63 [diff]
diff --git a/public/init.te b/public/init.te
index 16bafc3..a029219 100644
--- a/public/init.te
+++ b/public/init.te

@@ -246,8 +246,8 @@
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
 
-# Set UID and GID for services.
-allow init self:capability { setuid setgid };
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:capability { setuid setgid setpcap };
 
 # For bootchart to read the /proc/$pid/cmdline file of each process,
 # we need to have following line to allow init to have access
commit	847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12	[log] [tgz]
author	Jorge Lucangeli Obes <jorgelo@google.com>	Mon Oct 31 16:29:34 2016 -0400
committer	Jorge Lucangeli Obes <jorgelo@google.com>	Tue Nov 01 14:32:13 2016 -0400
tree	73404a4c7292f0e0b806961b95221128781654a3
parent	e112faeaa8692a4f27cb585d79dd629f65ecef63 [diff]