Enforce unconstrained_vsock_violators
Basically, SELinux doesn't have a good view on
how vsock connections are setup, and they are
unconstrained. We need to limit these and either
allow SELinux to understand what's on the other
side of the connection, or delegate the permission
model to virtualizationmanager.
This change puts this check in place. Additional
CLs will add tests.
Bug: 347661724
Test: build (neverallow enforced at build)
Change-Id: If59b5d51cfead32895a88cb6b0c9e39743f98ea6
diff --git a/private/domain.te b/private/domain.te
index 31b544b..618258c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2274,5 +2274,26 @@
# ueventd needs write access to all sysfs files.
neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
-# We need to be able to rely on vsock labels, so disallow changing them.
-neverallow domain *:vsock_socket { relabelfrom relabelto };
+# virtmanager enforces access policy for which components can connect
+# to which VMs. If you have permissions to make direct connections, you
+# can talk to anything.
+starting_at_board_api(202504, `
+neverallow {
+ domain
+
+ # these are expected
+ -early_virtmgr
+ -virtualizationmanager
+ -virtualizationservice
+ -adbd_common # maybe should move to emulator/virtual device specific policy
+
+ # not expected, and defined outside of system/sepolicy.
+ # Note: this attribute is strongly recommended to be empty if not required.
+ -unconstrained_vsock_violators
+
+ # these are permissions that should be removed, and they are here for visibility.
+ -compos_fd_server # TODO: get connections from virtmanager
+ -hal_keymint_system # TODO: get connections from virtmanager
+ -vmlauncher_app # TODO: get connections from virtmanager
+} *:vsock_socket { connect create accept bind };
+')