Skip to content
Snippets Groups Projects
Commit f9eb9314 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "disallow SIOCATMARK" 

am: 2ecdfb49

Change-Id: I83612a33e951c7da0406b89cf739f6afb9a21aeb
parents 20fffbb3 2ecdfb49
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 0 deletions
public/domain.te
+ 4
0
View file @ f9eb9314
...@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;') ...@@ -228,6 +228,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
# All socket ioctls must be restricted to a whitelist. # All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 }; neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
# TIOCSTI is only ever used for exploits. Block it. # TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569 # b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14 # http://www.openwall.com/lists/oss-security/2016/09/26/14
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment