From 128e771503ed7711f22bce72c112f1eab15f9ba3 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Tue, 18 Apr 2017 11:29:32 -0700
Subject: Add 'system' to update_verifier's gid

This addresses the denial to /dev/cpuset/tasks:
update_verifier: type=1400 audit(0.0:377): avc: denied { dac_override }
for capability=1 scontext=u:r:update_verifier:s0
tcontext=u:r:update_verifier:s0 tclass=capability permissive=1

update_verifier: type=1400 audit(0.0:378): avc: granted { write } for
name="tasks" dev="cgroup" ino=5 scontext=u:r:update_verifier:s0
tcontext=u:object_r:cgroup:s0 tclass=file

Bug: 37358323
Test: denial message gone after adding system group
Change-Id: I66b4925295a13fbc1c6f26a1bb9bd2f9cebcec3d
(cherry-picked from 0ad2de5eab12dbf63ad43bd0c3e5ef729984cf81)
---
 update_verifier/update_verifier.rc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc
index 808f2c055..862b06257 100644
--- a/update_verifier/update_verifier.rc
+++ b/update_verifier/update_verifier.rc
@@ -1,11 +1,11 @@
 service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted
     user root
-    group cache
+    group cache system
     priority -20
     ioprio rt 0
 
 service update_verifier /system/bin/update_verifier ${vold.decrypt}
     user root
-    group cache
+    group cache system
     priority -20
     ioprio rt 0
-- 
cgit v1.2.3