Restrict vsock permissions This is just an idea, and it could probably be implemented better (e.g. an attribute for all vs_use() domains). But it might have some use. I'll leave it up to you whether to submit this, and if so in what form. The idea is to say that any domain that is using AVF should only use AVF APIs, and so shouldn't be doing other things with vsock. This isn't difficult to bypass intentionally, but it should help to prevent/discourage accidental misconfiguration. Bug: 347661724 Test: Nope Change-Id: I6161d937f9640683d5739423da70ba7cc46bc4e2

commit: 67b76e0bd36c0856433ff7b8bf1dfcee735a535a [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Jun 21 10:00:09 2024 +0100
committer: Alan Stokes <alanstokes@google.com> Fri Jun 21 10:03:17 2024 +0100
tree: 9163f16acd92cf2ce5e7b34aa1b16103c8db24c0
parent: 57ad5ae413a85ec59334060084e98cdd766ac63f [diff]
diff --git a/public/te_macros b/public/te_macros
index 6d7533a..6aafb5d 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -197,6 +197,7 @@
 # that it created. Notice that we do not grant permission to create a vsock;
 # the client can only connect to VMs that it owns.
 allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
+neverallow {$1 -virtualizationservice} self:vsock_socket { create bind connect accept listen };
 # Allow client to inspect hypervisor capabilities
 get_prop($1, hypervisor_prop)
 # Allow client to read (but not open) the crashdump provided by virtualizationmanager
commit	67b76e0bd36c0856433ff7b8bf1dfcee735a535a	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Jun 21 10:00:09 2024 +0100
committer	Alan Stokes <alanstokes@google.com>	Fri Jun 21 10:03:17 2024 +0100
tree	9163f16acd92cf2ce5e7b34aa1b16103c8db24c0
parent	57ad5ae413a85ec59334060084e98cdd766ac63f [diff]