Merge "Restrict vsock permissions" into main

commit: b2199877bf97c378873a15d27b5adbc01a437474 [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Fri Jun 28 12:15:48 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jun 28 12:15:48 2024 +0000
tree: 93b46b5ee411dff1e0d9f1af3f8e9fd88d1bf4ad
parent: 672accd1c27c901a8513a2aff6a824cb02e14fb9 [diff]
parent: 67b76e0bd36c0856433ff7b8bf1dfcee735a535a [diff]
diff --git a/public/te_macros b/public/te_macros
index 6d7533a..6aafb5d 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -197,6 +197,7 @@
 # that it created. Notice that we do not grant permission to create a vsock;
 # the client can only connect to VMs that it owns.
 allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
+neverallow {$1 -virtualizationservice} self:vsock_socket { create bind connect accept listen };
 # Allow client to inspect hypervisor capabilities
 get_prop($1, hypervisor_prop)
 # Allow client to read (but not open) the crashdump provided by virtualizationmanager
commit	b2199877bf97c378873a15d27b5adbc01a437474	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Fri Jun 28 12:15:48 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Jun 28 12:15:48 2024 +0000
tree	93b46b5ee411dff1e0d9f1af3f8e9fd88d1bf4ad
parent	672accd1c27c901a8513a2aff6a824cb02e14fb9 [diff]
parent	67b76e0bd36c0856433ff7b8bf1dfcee735a535a [diff]