Merge "Suppress spurious ipc_lock denials" into main

commit: e01e8d559510f1802ad2e497cfc0d27efdd3e08d [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Mon Feb 05 09:37:52 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Feb 05 09:37:52 2024 +0000
tree: 0b10833bc52af12e61270f8c3892e03336d62ed6
parent: d02643a3ed660e50074d9d2201f0bd417a717ba7 [diff]
parent: aeab04ffcd2941febbd463cdbb204c4cbb74a965 [diff]
diff --git a/private/crosvm.te b/private/crosvm.te
index 6cd3969..4f99e8c 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -45,6 +45,12 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# When running a VM as root we get spurious capability denials.
+# Suppress them.
+userdebug_or_eng(`
+  dontaudit crosvm self:capability ipc_lock;
+')
+
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
commit	e01e8d559510f1802ad2e497cfc0d27efdd3e08d	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Mon Feb 05 09:37:52 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Feb 05 09:37:52 2024 +0000
tree	0b10833bc52af12e61270f8c3892e03336d62ed6
parent	d02643a3ed660e50074d9d2201f0bd417a717ba7 [diff]
parent	aeab04ffcd2941febbd463cdbb204c4cbb74a965 [diff]