Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. am: a8239c61 am: 1376638d

am: 0a10b00e Change-Id: I35ec7f134e24193e189d9fc7c9bd1d325b70ff6a

Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. am: a8239c61 am: 1376638d
d0ed9d0a · Lorenzo Colitti · android-build-merger · 40196b4b · 0a10b00e · d0ed9d0a
Commit d0ed9d0a authored 8 years ago by Lorenzo Colitti Committed by android-build-merger 8 years ago
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -142,7 +142,7 @@ allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;

 # List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };

 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;