cppreopts: remove DAC capabilities
Define service for cppreopts.sh in order to drop DAC capabilities for
for it and its children. Capabilities were already blocked by SELinux
so this does not cause a functional change, but rather shifts the
blocking mechanism to the DAC capability check which fails less
noisily. Otherwise, this change is intended to preserve the previous
behavior and uses "exec_start" to presever the blocking behavior of
"exec".
This prevents an selinux denial which is causing occasional presubmit
failures:
avc: denied { sys_resource } for comm="preopt2cachenam" capability=24
scontext=u:r:preopt2cachename:s0 tcontext=u:r:preopt2cachename:s0
tclass=capability permissive=0
Bug: 79414024
Test: Boot a phone with the cppreopts feature. Verify no logcat errors and all
the files are copied to the location given by preopt2cachename.
Change-Id: If630b53d32c3c0414939b1f8db8d486406003567
1 file changed