tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

more vm socket isolation am: 378ed74529

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3114226

Change-Id: Ib8605365b1823611b41183bdfc548c6abc913ec8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Steven Moreland 2024-06-06 18:47:07 +00:00 committed by Automerger Merge Worker
commit 57061954d2
2 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/virtualizationmanager.te
View file

@ -61,6 +61,7 @@ dontaudit virtualizationmanager self:dir write;
# Let virtualizationmanager to accept vsock connection from the guest VMs
allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
neverallow { domain -virtualizationmanager } virtualizationmanager:vsock_socket { accept bind create connect listen };
# Allow virtualizationmanager to inspect all hypervisor capabilities.
get_prop(virtualizationmanager, hypervisor_prop)

1
private/virtualizationservice.te
View file

@ -83,6 +83,7 @@ allow virtualizationservice apex_virt_data_file:file create_file_perms;
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)