From 96da70eb4f92dcf38b28e4a9854de5b222bb84e6 Mon Sep 17 00:00:00 2001
From: Philip Cuadra <philipcuadra@google.com>
Date: Mon, 2 May 2016 11:04:39 -0700
Subject: [PATCH] Add CAP_IPC_LOCK and pinner to system_server

Add pinner service to system_service services.
Add CAP_IPC_LOCK permissions to system_server in order to allow
system_server to pin more memory than the lockedmem ulimit.

bug 28251566

Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984
---
 service.te       | 1 +
 service_contexts | 1 +
 system_server.te | 1 +
 3 files changed, 3 insertions(+)

diff --git a/service.te b/service.te
index 8fea071b7..6b5838c5b 100644
--- a/service.te
+++ b/service.te
@@ -83,6 +83,7 @@ type otadexopt_service, system_server_service, service_manager_type;
 type package_service, app_api_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
 type power_service, app_api_service, system_server_service, service_manager_type;
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 11c073615..0ddbdc171 100644
--- a/service_contexts
+++ b/service_contexts
@@ -99,6 +99,7 @@ phone_msim                                u:object_r:radio_service:s0
 phone1                                    u:object_r:radio_service:s0
 phone2                                    u:object_r:radio_service:s0
 phone                                     u:object_r:radio_service:s0
+pinner                                    u:object_r:pinner_service:s0
 power                                     u:object_r:power_service:s0
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0
diff --git a/system_server.te b/system_server.te
index 8760182d1..d1976c2c2 100644
--- a/system_server.te
+++ b/system_server.te
@@ -46,6 +46,7 @@ bluetooth_domain(system_server)
 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:capability {
+    ipc_lock
     kill
     net_admin
     net_bind_service
-- 
GitLab