Skip to content
Snippets Groups Projects
Commit 71c1219a authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "disallow SIOCATMARK" am: 2ecdfb49 am: f9eb9314 

am: 74e50cbf

Change-Id: I2151b1fcde1a26885297c8920b2b1560d6d1ac1f
parents ecbbdbd3 74e50cbf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 0 deletions
public/domain.te
+ 4
0
View file @ 71c1219a
...@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;') ...@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
# All socket ioctls must be restricted to a whitelist. # All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 }; neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
# TIOCSTI is only ever used for exploits. Block it. # TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569 # b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14 # http://www.openwall.com/lists/oss-security/2016/09/26/14
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment