Relax crosvm flagged neverallow rules Flagged neverallow rule exceptions break CtsSecurityHostTestCases SELinuxNeverallowRulesTest#testNeverallowRules when the exception is used by a target branch that enables the flag under a CTS branch that does not enable the flag. Since CTS release configurations are fixed, these neverallow exceptions should not be flagged. Remove the flagging of exceptions guarded by RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES to resolve an observed test failure. Bug: 372674177 Test: m Flag: EXEMPT bugfix Change-Id: Ie023b264844d7985d71fe0dd28a15d5c08bdcaee

commit: 6d3126d896c14449feb9721aec11120e5514a1a1 [log] [tgz]
author: Todd Frederick <tfred@google.com> Tue Oct 22 15:13:47 2024 +0000
committer: Todd Frederick <tfred@google.com> Tue Oct 22 16:03:53 2024 +0000
tree: 795237e4cd2cdbb34275d47819b7e91d55d74dd6
parent: ed0e1e49f3d307412c954d2410876f307811d56e [diff] [blame]
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index bc29e39..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -131,7 +131,7 @@
   -virtualizationmanager
   -virtualizationservice
   # TODO(b/332677707): remove them when display service uses binder RPC.
-  is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
+  -crosvm
 }:process setrlimit;
 
 is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
commit	6d3126d896c14449feb9721aec11120e5514a1a1	[log] [tgz]
author	Todd Frederick <tfred@google.com>	Tue Oct 22 15:13:47 2024 +0000
committer	Todd Frederick <tfred@google.com>	Tue Oct 22 16:03:53 2024 +0000
tree	795237e4cd2cdbb34275d47819b7e91d55d74dd6
parent	ed0e1e49f3d307412c954d2410876f307811d56e [diff] [blame]