Allow crosvm to mlock VM memory. Bug: 204298056 Change-Id: I5b00273ffa37d4c1ea2f26bb40822abd0d094d90

commit: ed82cc82becf968168cdcd387488c9d98267f079 [log] [tgz]
author: Andrew Walbran <qwandor@google.com> Fri Jan 14 13:47:05 2022 +0000
committer: Andrew Walbran <qwandor@google.com> Fri Jan 14 13:47:05 2022 +0000
tree: bf91ac76e6f6c31b55c78bc8fd9a418ab027b263
parent: 70cd2da646ea9b8282af33e62657040907d92791 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index 5106f87..b3d96c8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -10,6 +10,9 @@
 neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
 neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
 
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
 # Let crosvm create temporary files.
 tmpfs_domain(crosvm)
commit	ed82cc82becf968168cdcd387488c9d98267f079	[log] [tgz]
author	Andrew Walbran <qwandor@google.com>	Fri Jan 14 13:47:05 2022 +0000
committer	Andrew Walbran <qwandor@google.com>	Fri Jan 14 13:47:05 2022 +0000
tree	bf91ac76e6f6c31b55c78bc8fd9a418ab027b263
parent	70cd2da646ea9b8282af33e62657040907d92791 [diff] [blame]