Merge "Disallow relabeling vsock" into main

commit: 57ad5ae413a85ec59334060084e98cdd766ac63f [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Wed Jun 19 14:11:37 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jun 19 14:11:37 2024 +0000
tree: 0300be9514bdef00530d3a8c112da375b2002b91
parent: 17ba6445f171839819ddbacb53c9065d551ac53a [diff]
parent: 1cf6c42777a706429eea56dc006c08a2455ea89f [diff]
diff --git a/private/domain.te b/private/domain.te
index 61e2ea6..c92830f 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -2235,3 +2235,6 @@
 # Only init/vendor are allowed to write sysfs_pgsize_migration;
 # ueventd needs write access to all sysfs files.
 neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
+
+# We need to be able to rely on vsock labels, so disallow changing them.
+neverallow domain *:vsock_socket { relabelfrom relabelto };
commit	57ad5ae413a85ec59334060084e98cdd766ac63f	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Wed Jun 19 14:11:37 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Jun 19 14:11:37 2024 +0000
tree	0300be9514bdef00530d3a8c112da375b2002b91
parent	17ba6445f171839819ddbacb53c9065d551ac53a [diff]
parent	1cf6c42777a706429eea56dc006c08a2455ea89f [diff]