From 3c587db57d104354d92e41892327beb1b37ca88b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 23 Apr 2020 10:12:56 +0200
Subject: [PATCH] derive_sdk: run as nobody

Unfortunately, root is the default user/group for
init-launched services. This can lead to processes
unnecessarily requesting permissions like privileged
capabilities. This service doesn't require any privileges
so run it as AID_NOBODY.

Addresses:
avc: denied { sys_resource } for comm=\"derive_sdk\" capability=24
scontext=u:r:derive_sdk:s0 tcontext=u:r:derive_sdk:s0
tclass=capability permissive=0

Bug: 154711554
Test: m com.android.sdkext
Test: boot && adb shell getprop | grep sdk_info
Change-Id: Ibd4ad616901a9d5c402ba89d636d0238b0043afa
---
 apex/sdkextensions/derive_sdk/derive_sdk.rc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apex/sdkextensions/derive_sdk/derive_sdk.rc b/apex/sdkextensions/derive_sdk/derive_sdk.rc
index 1b667949eeaa2..18f021ccadff1 100644
--- a/apex/sdkextensions/derive_sdk/derive_sdk.rc
+++ b/apex/sdkextensions/derive_sdk/derive_sdk.rc
@@ -1,3 +1,5 @@
 service derive_sdk /apex/com.android.sdkext/bin/derive_sdk
+    user nobody
+    group nobody
     oneshot
     disabled