Allow CAP_SYS_NICE for crosvm Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its vCPU threads to provide a boost in performance. Bug: 322197421 Test: Booted device and processes that checked that the correct capabilites are given with no sepolicy denials. Change-Id: I089bf26caf862c32e85440575800bb095bb9087b Signed-off-by: David Dai <davidai@google.com>

commit: 7066a961bd1cc0f5392716711a4a66513d2b9d39 [log] [tgz]
author: David Dai <davidai@google.com> Thu Feb 01 15:19:03 2024 -0800
committer: David Dai <davidai@google.com> Mon Feb 05 11:14:53 2024 -0800
tree: 6c40070fd23e577fcf3afff9ad0a39c8c808df12
parent: e01e8d559510f1802ad2e497cfc0d27efdd3e08d [diff]
diff --git a/private/crosvm.te b/private/crosvm.te
index 4f99e8c..6ad3727 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -51,6 +51,9 @@
   dontaudit crosvm self:capability ipc_lock;
 ')
 
+# Allow crosvm to tune for performance.
+allow crosvm self:global_capability_class_set sys_nice;
+
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
commit	7066a961bd1cc0f5392716711a4a66513d2b9d39	[log] [tgz]
author	David Dai <davidai@google.com>	Thu Feb 01 15:19:03 2024 -0800
committer	David Dai <davidai@google.com>	Mon Feb 05 11:14:53 2024 -0800
tree	6c40070fd23e577fcf3afff9ad0a39c8c808df12
parent	e01e8d559510f1802ad2e497cfc0d27efdd3e08d [diff]