system_server: replace sys_resource with sys_ptrace
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.
Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
(cherry picked from commit 448669540c0b7c22ee8b8293217818f8f92238b6)
(cherry picked from commit 3d8dde0e2e7ae6d6901ec3a708c8b891eacf1631)
1 file changed