Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 77eb35263f40607e36fdcd85d95050a4ecedb6b8 / . / bluetooth.te
blob: 619ce7f7cca6c63efef76dd7d4ea91842da98bc4 [file] [log] [blame]
Stephen Smalley61c80d52012-11-16 09:06:47 -0500[diff] [blame]1# bluetooth subsystem
2type bluetooth, domain;
3app_domain(bluetooth)
Stephen Smalley85708ec2014-02-24 10:48:03 -0500[diff] [blame]4net_domain(bluetooth)
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]5
6# Data file accesses.
7allow bluetooth bluetooth_data_file:dir create_dir_perms;
8allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
9
Stephen Smalley09f6a992014-01-13 09:14:15 -0500[diff] [blame]10# Socket creation under /data/misc/bluedroid.
11type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
12allow bluetooth bluetooth_socket:sock_file create_file_perms;
13
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]14# bluetooth factory file accesses.
15r_dir_file(bluetooth, bluetooth_efs_file)
16
17# Device accesses.
Stephen Smalleyb3c48b62013-10-23 13:50:19 -0400[diff] [blame]18allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]19
20# Other domains that can create and use bluetooth sockets.
21# SELinux does not presently define a specific socket class for
22# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]23# TODO: This should no longer be needed with bluedroid for bluetooth
24# but may be getting used for other non-bluetooth sockets that has no
25# specific class defined. Consider taking to specific domains.
26allow bluetoothdomain self:socket create_socket_perms;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]27
28# sysfs access.
29allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
30allow bluetooth self:capability net_admin;
Sharvil Nanavati77eb3522014-06-29 10:45:03 -0700[diff] [blame^]31allow bluetooth self:capability2 wake_alarm;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]32
33# Allow clients to use a socket provided by the bluetooth app.
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]34# TODO: See if this is still required under bluedroid.
Sérgio Faria536ddba2014-06-29 13:11:27 +0100[diff] [blame]35allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]36
37# tethering
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]38allow bluetooth self:tun_socket create_socket_perms;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]39allow bluetooth efs_file:dir search;
40
41# Talk to init over the property socket.
42unix_socket_connect(bluetooth, property, init)
43
44# proc access.
45allow bluetooth proc_bluetooth_writable:file rw_file_perms;
46
Nick Kralevich5b38c472013-10-29 12:45:10 -0700[diff] [blame]47# Allow write access to bluetooth specific properties
48allow bluetooth bluetooth_prop:property_service set;
Paul Jensen97a2cfd2014-06-18 09:20:36 -0400[diff] [blame]49allow bluetooth pan_result_prop:property_service set;
50allow bluetooth ctl_dhcp_pan_prop:property_service set;
Nick Kralevich5b38c472013-10-29 12:45:10 -0700[diff] [blame]51
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]52###
53### Neverallow rules
54###
55### These are things that the bluetooth app should NEVER be able to do
56###
57
58# Superuser capabilities.
Sharvil Nanavati77eb3522014-06-29 10:45:03 -0700[diff] [blame^]59# bluetooth requires net_admin and wake_alarm.
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]60neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
Sharvil Nanavati77eb3522014-06-29 10:45:03 -0700[diff] [blame^]61neverallow { bluetooth -unconfineddomain } self:capability2 ~wake_alarm;