From a8239c61b83be80e456d74a21b1065fa84086931 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 27 Sep 2016 23:24:13 +0900
Subject: [PATCH] Don't allow dumpstate to call ioctl on
 netlink_tcpdiag_socket.

This fixes the build error:

=====
libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by
allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl };
libsepol.check_assertions: 1 neverallow failures occurred
=====

Which is caused, in AOSP and downstream branches, by
I123e5d40955358665800fe3b86cd5f8dbaeb8717.

Test: builds.
Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
---
 dumpstate.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dumpstate.te b/dumpstate.te
index dd0a7e080..9f3370e39 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -142,7 +142,7 @@ allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
 
 # List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
 
 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;
-- 
GitLab