Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. am: a8239c61

am: 1376638d Change-Id: Ief3104b69f825a47c68dfa1bf0c372e340fabd6d

Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. am: a8239c61
0a10b00e · Lorenzo Colitti · android-build-merger · b4e26018 · 1376638d · 0a10b00e
Commit 0a10b00e authored 8 years ago by Lorenzo Colitti Committed by android-build-merger 8 years ago
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -142,7 +142,7 @@ allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
 # List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;