bluetooth.te - fp2-dev/platform/external/sepolicy - Gitiles

 # bluetooth subsystem
 type bluetooth, domain;
 app_domain(bluetooth)

 # Data file accesses.
 allow bluetooth bluetooth_data_file:dir create_dir_perms;
 allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;

 # Socket creation under /data/misc/bluedroid.
 type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
 allow bluetooth bluetooth_socket:sock_file create_file_perms;

 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)

 # Device accesses.
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;

 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;

 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;

 # Allow clients to use a socket provided by the bluetooth app.
 allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

 # tethering
 allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
 allow bluetooth efs_file:dir search;

 # Talk to init over the property socket.
 unix_socket_connect(bluetooth, property, init)

 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;

 # bluetooth file transfers
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;

 # Allow reading of media_rw_data_file file descriptors
 # passed to bluetooth
 allow bluetooth media_rw_data_file:file { read getattr };

 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;

 ###
 ### Neverallow rules
 ###
 ### These are things that the bluetooth app should NEVER be able to do
 ###

 # Superuser capabilities.
 # bluetooth requires net_admin.
 neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
	# bluetooth subsystem
	type bluetooth, domain;
	app_domain(bluetooth)

	# Data file accesses.
	allow bluetooth bluetooth_data_file:dir create_dir_perms;
	allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;

	# Socket creation under /data/misc/bluedroid.
	type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
	allow bluetooth bluetooth_socket:sock_file create_file_perms;

	# bluetooth factory file accesses.
	r_dir_file(bluetooth, bluetooth_efs_file)

	# Device accesses.
	allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;

	# Other domains that can create and use bluetooth sockets.
	# SELinux does not presently define a specific socket class for
	# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
	allow bluetoothdomain self:socket *;

	# sysfs access.
	allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
	allow bluetooth self:capability net_admin;

	# Allow clients to use a socket provided by the bluetooth app.
	allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

	# tethering
	allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
	allow bluetooth efs_file:dir search;

	# Talk to init over the property socket.
	unix_socket_connect(bluetooth, property, init)

	# proc access.
	allow bluetooth proc_bluetooth_writable:file rw_file_perms;

	# bluetooth file transfers
	allow bluetooth sdcard_internal:dir create_dir_perms;
	allow bluetooth sdcard_internal:file create_file_perms;

	# Allow reading of media_rw_data_file file descriptors
	# passed to bluetooth
	allow bluetooth media_rw_data_file:file { read getattr };

	# Allow write access to bluetooth specific properties
	allow bluetooth bluetooth_prop:property_service set;

	###
	### Neverallow rules
	###
	### These are things that the bluetooth app should NEVER be able to do
	###

	# Superuser capabilities.
	# bluetooth requires net_admin.
	neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;