introducing unconstrained_vsock_violators Adding attribute separately from uses of it so that it can be applied in different places. Basically, SELinux doesn't have a good view on how vsock connections are setup, and they are unconstrained. We need to limit these and either allow SELinux to understand what's on the other side of the connection, or delegate the permission model to virtualizationmanager. Bug: 347661724 Test: N/A Change-Id: Ie0ede16fe73f609386275ed18f4b2ffe49620b12

commit: f5da7b9e07f1c367d4679f7a00850b7d5a8ce938 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Jan 14 00:17:33 2025 +0000
committer: Steven Moreland <smoreland@google.com> Tue Jan 14 02:11:01 2025 +0000
tree: 43b770fbd014d7992ada484c379bc3cd267bf163
parent: e899a6ef87a0bf551556ec52639e3554e593210f [diff] [blame]
diff --git a/private/attributes b/private/attributes
index 0da777a..4f59acf 100644
--- a/private/attributes
+++ b/private/attributes

@@ -16,6 +16,11 @@
     hal_attribute(mediaquality);
 ')
 
+until_board_api(202504, `
+attribute unconstrained_vsock_violators;
+expandattribute unconstrained_vsock_violators false;
+')
+
 # All SDK sandbox domains
 attribute sdk_sandbox_all;
 # The SDK sandbox domains for the current SDK level.
commit	f5da7b9e07f1c367d4679f7a00850b7d5a8ce938	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Jan 14 00:17:33 2025 +0000
committer	Steven Moreland <smoreland@google.com>	Tue Jan 14 02:11:01 2025 +0000
tree	43b770fbd014d7992ada484c379bc3cd267bf163
parent	e899a6ef87a0bf551556ec52639e3554e593210f [diff] [blame]