Home | History | Annotate | Download | only in sepolicy 
      1 # bluetooth subsystem
      2 type bluetooth, domain;
      3 app_domain(bluetooth)
      4 net_domain(bluetooth)
      5 
      6 # Data file accesses.
      7 allow bluetooth bluetooth_data_file:dir create_dir_perms;
      8 allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
      9 
     10 # Socket creation under /data/misc/bluedroid.
     11 type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
     12 allow bluetooth bluetooth_socket:sock_file create_file_perms;
     13 
     14 # bluetooth factory file accesses.
     15 r_dir_file(bluetooth, bluetooth_efs_file)
     16 
     17 # Device accesses.
     18 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
     19 
     20 # Other domains that can create and use bluetooth sockets.
     21 # SELinux does not presently define a specific socket class for
     22 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
     23 # TODO: This should no longer be needed with bluedroid for bluetooth
     24 # but may be getting used for other non-bluetooth sockets that has no
     25 # specific class defined.  Consider taking to specific domains.
     26 allow bluetoothdomain self:socket create_socket_perms;
     27 
     28 # sysfs access.
     29 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
     30 allow bluetooth self:capability net_admin;
     31 allow bluetooth self:capability2 wake_alarm;
     32 
     33 # Allow clients to use a socket provided by the bluetooth app.
     34 # TODO:  See if this is still required under bluedroid.
     35 allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
     36 
     37 # tethering
     38 allow bluetooth self:tun_socket create_socket_perms;
     39 allow bluetooth efs_file:dir search;
     40 
     41 # Talk to init over the property socket.
     42 unix_socket_connect(bluetooth, property, init)
     43 
     44 # proc access.
     45 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
     46 
     47 # Allow write access to bluetooth specific properties
     48 allow bluetooth bluetooth_prop:property_service set;
     49 allow bluetooth pan_result_prop:property_service set;
     50 allow bluetooth ctl_dhcp_pan_prop:property_service set;
     51 
     52 ###
     53 ### Neverallow rules
     54 ###
     55 ### These are things that the bluetooth app should NEVER be able to do
     56 ###
     57 
     58 # Superuser capabilities.
     59 # bluetooth requires net_admin and wake_alarm.
     60 neverallow bluetooth self:capability ~net_admin;
     61 neverallow bluetooth self:capability2 ~wake_alarm;
     62