introducing unconstrained_vsock_violators
Adding attribute separately from uses of it so
that it can be applied in different places.
Basically, SELinux doesn't have a good view on
how vsock connections are setup, and they are
unconstrained. We need to limit these and either
allow SELinux to understand what's on the other
side of the connection, or delegate the permission
model to virtualizationmanager.
Bug: 347661724
Test: N/A
Change-Id: Ie0ede16fe73f609386275ed18f4b2ffe49620b12
diff --git a/private/attributes b/private/attributes
index 0da777a..4f59acf 100644
--- a/private/attributes
+++ b/private/attributes
@@ -16,6 +16,11 @@
hal_attribute(mediaquality);
')
+until_board_api(202504, `
+attribute unconstrained_vsock_violators;
+expandattribute unconstrained_vsock_violators false;
+')
+
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
diff --git a/public/attributes b/public/attributes
index 1556d57..bc58e40 100644
--- a/public/attributes
+++ b/public/attributes
@@ -250,6 +250,16 @@
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;
+starting_at_board_api(202504, `
+# All vsock communication is required to go through AVF so that we can
+# have a consistent permission model for which is allowed to talk to
+# which. This breaks Treble as well as updatability of VMs and
+# other components.
+# TODO(b/347661724): Remove this once there are no violations.
+attribute unconstrained_vsock_violators;
+expandattribute unconstrained_vsock_violators false;
+')
+
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)