Disallow relabeling vsock There's no need for it, and we would like to be able to rely on these labels. Bug: 347661724 Test: Builds Change-Id: I5a0cf5446d0b99239e8fe5d45480c4942710578c

commit: 1cf6c42777a706429eea56dc006c08a2455ea89f [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Tue Jun 18 17:54:43 2024 +0100
committer: Alan Stokes <alanstokes@google.com> Tue Jun 18 17:56:27 2024 +0100
tree: c8061f1d9ce948d5c3ee8fb2a0fbf361c9cbc177
parent: 075b734d672da77da04063f1775b6a92d1977b80 [diff]
diff --git a/private/domain.te b/private/domain.te
index 61e2ea6..c92830f 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -2235,3 +2235,6 @@
 # Only init/vendor are allowed to write sysfs_pgsize_migration;
 # ueventd needs write access to all sysfs files.
 neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
+
+# We need to be able to rely on vsock labels, so disallow changing them.
+neverallow domain *:vsock_socket { relabelfrom relabelto };
commit	1cf6c42777a706429eea56dc006c08a2455ea89f	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Tue Jun 18 17:54:43 2024 +0100
committer	Alan Stokes <alanstokes@google.com>	Tue Jun 18 17:56:27 2024 +0100
tree	c8061f1d9ce948d5c3ee8fb2a0fbf361c9cbc177
parent	075b734d672da77da04063f1775b6a92d1977b80 [diff]