From bc12bccd8f25052bbcff5f73924b96d05f6bde07 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Fri, 26 Jan 2024 11:01:14 +0000
Subject: [PATCH] crosvm doesn't need IPC_LOCK

crosvm calls mlock. It used to need this capability, but now we remove
the rlimit (in Virtualization Manager via Virtualization Service) so
it no longer needs it and in fact is no longer granted it.

(This was previously removed in
commit 88f98d96dae3fb2616e93969685cbd737c364a0f, but accidentally
re-introduced in commit 88f98d96dae3fb2616e93969685cbd737c364a0f.)

Bug: 322197421
Test: atest MicrodroidTests
Change-Id: I091170d0cb9b5617584b687e7f24cff153e06c85
---
 private/crosvm.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/private/crosvm.te b/private/crosvm.te
index ed89b8789..6cd396962 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -45,9 +45,6 @@ allow crosvm {
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
-# Allow crosvm to mlock guest memory.
-allow crosvm self:capability ipc_lock;
-
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection