Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/FP2-open-16.11.0 / . / bluetooth.te
blob: fdf106de099d5cc5c8d619cddb4abbcecec33e74 [file] [log] [blame]
Stephen Smalley61c80d52012-11-16 09:06:47 -0500[diff] [blame]1# bluetooth subsystem
2type bluetooth, domain;
3app_domain(bluetooth)
Stephen Smalley85708ec2014-02-24 10:48:03 -0500[diff] [blame]4net_domain(bluetooth)
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]5
6# Data file accesses.
7allow bluetooth bluetooth_data_file:dir create_dir_perms;
8allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
9
Stephen Smalley09f6a992014-01-13 09:14:15 -0500[diff] [blame]10# Socket creation under /data/misc/bluedroid.
11type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
12allow bluetooth bluetooth_socket:sock_file create_file_perms;
13
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]14# bluetooth factory file accesses.
15r_dir_file(bluetooth, bluetooth_efs_file)
16
17# Device accesses.
Stephen Smalleyb3c48b62013-10-23 13:50:19 -0400[diff] [blame]18allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]19
20# Other domains that can create and use bluetooth sockets.
21# SELinux does not presently define a specific socket class for
22# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]23# TODO: This should no longer be needed with bluedroid for bluetooth
24# but may be getting used for other non-bluetooth sockets that has no
25# specific class defined. Consider taking to specific domains.
Nick Kralevichf54b97b2016-05-05 13:37:55 -0700[diff] [blame]26allow { bluetoothdomain -untrusted_app -isolated_app -shell } self:socket create_socket_perms;
27neverallow { untrusted_app isolated_app shell } { untrusted_app isolated_app shell }:socket *;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]28
29# sysfs access.
30allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
31allow bluetooth self:capability net_admin;
Sharvil Nanavati77eb3522014-06-29 10:45:03 -0700[diff] [blame]32allow bluetooth self:capability2 wake_alarm;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]33
34# Allow clients to use a socket provided by the bluetooth app.
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]35# TODO: See if this is still required under bluedroid.
Sérgio Faria536ddba2014-06-29 13:11:27 +0100[diff] [blame]36allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]37
38# tethering
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]39allow bluetooth self:tun_socket create_socket_perms;
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]40allow bluetooth efs_file:dir search;
41
42# Talk to init over the property socket.
43unix_socket_connect(bluetooth, property, init)
44
45# proc access.
46allow bluetooth proc_bluetooth_writable:file rw_file_perms;
47
Nick Kralevich5b38c472013-10-29 12:45:10 -0700[diff] [blame]48# Allow write access to bluetooth specific properties
49allow bluetooth bluetooth_prop:property_service set;
Paul Jensen97a2cfd2014-06-18 09:20:36 -0400[diff] [blame]50allow bluetooth pan_result_prop:property_service set;
51allow bluetooth ctl_dhcp_pan_prop:property_service set;
Nick Kralevich5b38c472013-10-29 12:45:10 -0700[diff] [blame]52
Stephen Smalleyd7fd22e2013-10-22 12:56:32 -0400[diff] [blame]53###
54### Neverallow rules
55###
56### These are things that the bluetooth app should NEVER be able to do
57###
58
59# Superuser capabilities.
Sharvil Nanavati77eb3522014-06-29 10:45:03 -0700[diff] [blame]60# bluetooth requires net_admin and wake_alarm.
Nick Kralevichbe660692014-07-04 10:12:13 -0700[diff] [blame]61neverallow bluetooth self:capability ~net_admin;
62neverallow bluetooth self:capability2 ~wake_alarm;