Merge "Add metadata partition" into master-cuttlefish-testing

commit: add80cbb6c4a652f5c1317be30a30b2fa0887e0b [log] [tgz]
author: Alistair Strachan <astrachan@google.com> Tue Mar 19 21:47:43 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 19 21:47:43 2019 +0000
tree: 63ce97f84c2eecbca2853087c7a9077084027ce2
parent: d54034c87963a5019946cc24b24c23dfd5e6c227 [diff]
parent: c4608649a187aea4856d84d317f0fe340d4bd45a [diff]
diff --git a/shared/sepolicy/socket_vsock_proxy.te b/shared/sepolicy/socket_vsock_proxy.te
index 468ac8a..c21a6a6 100644
--- a/shared/sepolicy/socket_vsock_proxy.te
+++ b/shared/sepolicy/socket_vsock_proxy.te

@@ -1,5 +1,11 @@
-type socket_vsock_proxy, domain;
+type socket_vsock_proxy, domain, netdomain;
 type socket_vsock_proxy_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(socket_vsock_proxy)
 
+allow socket_vsock_proxy self:global_capability_class_set { net_admin net_raw };
+allow socket_vsock_proxy self:socket { create read write listen accept bind };
+
+# TODO: socket returned by accept() has unlabeled context on it. Give it a
+# specific label.
+allow socket_vsock_proxy unlabeled:socket { getopt read write shutdown};
commit	add80cbb6c4a652f5c1317be30a30b2fa0887e0b	[log] [tgz]
author	Alistair Strachan <astrachan@google.com>	Tue Mar 19 21:47:43 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Mar 19 21:47:43 2019 +0000
tree	63ce97f84c2eecbca2853087c7a9077084027ce2
parent	d54034c87963a5019946cc24b24c23dfd5e6c227 [diff]
parent	c4608649a187aea4856d84d317f0fe340d4bd45a [diff]