Merge "Restrict access to virtualization service's vsocks" into main
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index b6ba55b..bc29e39 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -85,10 +85,10 @@
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
-# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# Accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
-allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
+allow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept };
+neverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)