tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

more vm socket isolation

Browse source 
Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
This commit is contained in:
Steven Moreland 2024-06-05 21:29:02 +00:00
parent 0467d14618
commit 378ed74529
2 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/virtualizationmanager.te
View file

@ -61,6 +61,7 @@ dontaudit virtualizationmanager self:dir write;
# Let virtualizationmanager to accept vsock connection from the guest VMs
allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
neverallow { domain -virtualizationmanager } virtualizationmanager:vsock_socket { accept bind create connect listen };
# Allow virtualizationmanager to inspect all hypervisor capabilities.
get_prop(virtualizationmanager, hypervisor_prop)

1
private/virtualizationservice.te
View file

@ -83,6 +83,7 @@ allow virtualizationservice apex_virt_data_file:file create_file_perms;
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)