From 93615b144dbbf56df7f76c1e743e47aea72be7c3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 19 Oct 2017 19:51:46 -0700
Subject: [PATCH] disallow SIOCATMARK

The use of SIOCATMARK is not recommended per rfc6093.

This ioctl is not currently allowed on Android. Add a neverallowxperm
statement (compile time assertion + CTS test) to ensure this never
regresses.

Bug: 68014825
Test: policy compiles.
Change-Id: I41272a0cb157ac9aa38c8e67aabb8385403815f9
---
 public/domain.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index f28da11c5..4b771dce7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
 # TIOCSTI is only ever used for exploits. Block it.
 # b/33073072, b/7530569
 # http://www.openwall.com/lists/oss-security/2016/09/26/14
-- 
GitLab