derive_sdk: run as nobody

Unfortunately, root is the default user/group for init-launched services. This can lead to processes unnecessarily requesting permissions like privileged capabilities. This service doesn't require any privileges so run it as AID_NOBODY. Addresses: avc: denied { sys_resource } for comm=\"derive_sdk\" capability=24 scontext=u:r:derive_sdk:s0 tcontext=u:r:derive_sdk:s0 tclass=capability permissive=0 Bug: 154711554 Test: m com.android.sdkext Test: boot && adb shell getprop | grep sdk_info Change-Id: Ibd4ad616901a9d5c402ba89d636d0238b0043afa Merged-In: Ibd4ad616901a9d5c402ba89d636d0238b0043afa
author: Jeff Vander Stoep <jeffv@google.com> 2020-04-23 10:12:56 +0200
committer: Anton Hansson <hansson@google.com> 2020-04-23 11:37:55 +0100
commit: 154cac3994640001d95d1cdcd30df20515495fc3 (patch)
tree: ab7b9630993b7db3a81074da63bd424ed65bdf90
parent: 85df93ed71300304dd810f1439aa9162f8eb6a8e (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/apex/sdkextensions/derive_sdk/derive_sdk.rc b/apex/sdkextensions/derive_sdk/derive_sdk.rc
index 1b667949eeaa..18f021ccadff 100644
--- a/apex/sdkextensions/derive_sdk/derive_sdk.rc
+++ b/apex/sdkextensions/derive_sdk/derive_sdk.rc
@@ -1,3 +1,5 @@
 service derive_sdk /apex/com.android.sdkext/bin/derive_sdk
+    user nobody
+    group nobody
     oneshot
     disabled
author	Jeff Vander Stoep <jeffv@google.com>	2020-04-23 10:12:56 +0200
committer	Anton Hansson <hansson@google.com>	2020-04-23 11:37:55 +0100
commit	154cac3994640001d95d1cdcd30df20515495fc3 (patch)
tree	ab7b9630993b7db3a81074da63bd424ed65bdf90
parent	85df93ed71300304dd810f1439aa9162f8eb6a8e (diff)