From 378ed74529da0708d8a7429e9136a24e4d290313 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Wed, 5 Jun 2024 21:29:02 +0000
Subject: [PATCH] more vm socket isolation

Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
---
 private/virtualizationmanager.te | 1 +
 private/virtualizationservice.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 72cc0a6b9..9b3cfcff8 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -61,6 +61,7 @@ dontaudit virtualizationmanager self:dir write;
 
 # Let virtualizationmanager to accept vsock connection from the guest VMs
 allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationmanager } virtualizationmanager:vsock_socket { accept bind create connect listen };
 
 # Allow virtualizationmanager to inspect all hypervisor capabilities.
 get_prop(virtualizationmanager, hypervisor_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index b5c04af96..f423c6672 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -83,6 +83,7 @@ allow virtualizationservice apex_virt_data_file:file create_file_perms;
 # Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
 # such as the guest tombstone server.
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)