Suppress spurious ipc_lock denials When running a VM from a root shell (e.g. via vm_shell), we see frequent ipc_lock denials: avc: denied { ipc_lock } for comm="crosvm" capability=14 scontext=u:r:crosvm:s0 tcontext=u:r:crosvm:s0 tclass=capability permissive=0 These don't appear for non-root crosvm, and don't prevent the VM from working. Suppress them to reduce log spam. Test: Run vm_shell Change-Id: I3b68ca9e3f15709a1f0fce285ba8916419ee82e8

commit: aeab04ffcd2941febbd463cdbb204c4cbb74a965 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Feb 01 16:16:01 2024 +0000
committer: Alan Stokes <alanstokes@google.com> Thu Feb 01 17:01:20 2024 +0000
tree: 090bfc762284845b367acbc3a05a692ae94baf6d
parent: b3eeec1ac93e30d1b7291f6e96048f282b96d0e8 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index 6cd3969..4f99e8c 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -45,6 +45,12 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# When running a VM as root we get spurious capability denials.
+# Suppress them.
+userdebug_or_eng(`
+  dontaudit crosvm self:capability ipc_lock;
+')
+
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
commit	aeab04ffcd2941febbd463cdbb204c4cbb74a965	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Feb 01 16:16:01 2024 +0000
committer	Alan Stokes <alanstokes@google.com>	Thu Feb 01 17:01:20 2024 +0000
tree	090bfc762284845b367acbc3a05a692ae94baf6d
parent	b3eeec1ac93e30d1b7291f6e96048f282b96d0e8 [diff] [blame]