diff --git a/public/domain.te b/public/domain.te
index f28da11c549958a78629ac980dad563743b7feed..4b771dce70b2146d314e15b0679d7bbd112f4b8d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
 # TIOCSTI is only ever used for exploits. Block it.
 # b/33073072, b/7530569
 # http://www.openwall.com/lists/oss-security/2016/09/26/14