Move apexd to user/group root.
Some other root daemons (like vold) also access dev nodes that apexd
touches:
/dev/loop-control
/dev/device-mapper
/dev/block/dm-*
/dev/block/loop*
If apexd is system, it won't be able to touch these files; changing
those files to be owned by 'system' means all the root processes
accessing them need the DAC_OVERRIDE capability, and we'd also open
these up to other 'system' processes (if SELinux policy would allow
it).
Since root is anyway limited by capabilities and SELinux, and apexd
performs very similar tasks to other daemons already running as root
(eg, vold, installd), making apexd root makes sense.
Bug: 112684055
Test: apexd running as root
Change-Id: I97ae60b6310671cde566ef08c07e3346e774fe7c
1 file changed