more vm socket isolation
Bugs: me
Test: build
Change-Id: Ie34ac041f1234891043098a4decf05ec7a9e6761
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 72cc0a6..9b3cfcf 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -61,6 +61,7 @@
# Let virtualizationmanager to accept vsock connection from the guest VMs
allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationmanager } virtualizationmanager:vsock_socket { accept bind create connect listen };
# Allow virtualizationmanager to inspect all hypervisor capabilities.
get_prop(virtualizationmanager, hypervisor_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index b5c04af..f423c66 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -83,6 +83,7 @@
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)