Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2ecdfb49bcb4ea3c486aef52f9cb2be8f63a0558^1..2ecdfb49bcb4ea3c486aef52f9cb2be8f63a0558 / .
commit2ecdfb49bcb4ea3c486aef52f9cb2be8f63a0558[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Oct 20 14:35:59 2017 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Oct 20 14:35:59 2017 +0000
tree1fd20e749a21a926f07c0c555060e306e75967c9
parentc734710c13d116e551afb16f1610c183984c1b6c [diff]
parent93615b144dbbf56df7f76c1e743e47aea72be7c3 [diff]
Merge "disallow SIOCATMARK"
diff --git a/public/domain.te b/public/domain.te
index f28da11..4b771dc 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -228,6 +228,10 @@
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
 # TIOCSTI is only ever used for exploits. Block it.
 # b/33073072, b/7530569
 # http://www.openwall.com/lists/oss-security/2016/09/26/14