Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket.

This fixes the build error: ===== libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl }; libsepol.check_assertions: 1 neverallow failures occurred ===== Which is caused, in AOSP and downstream branches, by I123e5d40955358665800fe3b86cd5f8dbaeb8717. Test: builds. Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970

Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket.
This fixes the build error: ===== libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl }; libsepol.check_assertions: 1 neverallow failures occurred ===== Which is caused, in AOSP and downstream branches, by I123e5d40955358665800fe3b86cd5f8dbaeb8717. Test: builds. Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
a8239c61 · Lorenzo Colitti · bb9b4dd8 · a8239c61
Commit a8239c61 authored 8 years ago by Lorenzo Colitti
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -142,7 +142,7 @@ allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
 # List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;