Skip to content
Snippets Groups Projects
Commit 93615b14 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

disallow SIOCATMARK 

The use of SIOCATMARK is not recommended per rfc6093.

This ioctl is not currently allowed on Android. Add a neverallowxperm
statement (compile time assertion + CTS test) to ensure this never
regresses.

Bug: 68014825
Test: policy compiles.
Change-Id: I41272a0cb157ac9aa38c8e67aabb8385403815f9
parent 9f788544
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 0 deletions
public/domain.te
+ 4
0
View file @ 93615b14
......@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment