Note unconstrained_vsock_violators.
We may need other solutions in order to constrain how
vsock connections can be opened up. However, right now
what connections can be made to is unrestricted, which
prevents us from strengthening security around these
settings. Mark current users of vsock as violators,
in order to raise awareness and track issues.
For VM users - generic Android APIs for connected to VMs, either
those already in AVF or others should be used.
For other verticals - we may leave these open indefinitely or talk
elsewhere.
For virtual devices and VMs, we may need a new way to get host
connections or modify the sepolicy around this case.
Bug: 347661724
Test: build
Change-Id: I4b195af3bb3881a3443b7981845c94aef6a05d99
1 file changed
