1type socket_vsock_proxy, domain, netdomain; 2type socket_vsock_proxy_exec, exec_type, vendor_file_type, file_type; 3 4init_daemon_domain(socket_vsock_proxy) 5 6allow socket_vsock_proxy self:global_capability_class_set { net_admin net_raw }; 7allow socket_vsock_proxy self:{ socket vsock_socket } { create getopt read write getattr listen accept bind shutdown }; 8 9starting_at_board_api(202504, ` 10typeattribute socket_vsock_proxy unconstrained_vsock_violators; 11') 12# TODO: socket returned by accept() has unlabeled context on it. Give it a 13# specific label. 14allow socket_vsock_proxy unlabeled:{ socket vsock_socket } { getopt read write shutdown }; 15