Home | History | Annotate | Download | only in sepolicy 
      1 # bluetooth subsystem
      2 type bluetooth, domain;
      3 app_domain(bluetooth)
      4 net_domain(bluetooth)
      5 
      6 # Data file accesses.
      7 allow bluetooth bluetooth_data_file:dir create_dir_perms;
      8 allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
      9 
     10 # Socket creation under /data/misc/bluedroid.
     11 type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
     12 allow bluetooth bluetooth_socket:sock_file create_file_perms;
     13 
     14 # bluetooth factory file accesses.
     15 r_dir_file(bluetooth, bluetooth_efs_file)
     16 
     17 # Device accesses.
     18 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
     19 
     20 # Other domains that can create and use bluetooth sockets.
     21 # SELinux does not presently define a specific socket class for
     22 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
     23 # TODO: This should no longer be needed with bluedroid for bluetooth
     24 # but may be getting used for other non-bluetooth sockets that has no
     25 # specific class defined.  Consider taking to specific domains.
     26 allow bluetoothdomain self:socket create_socket_perms;
     27 
     28 # sysfs access.
     29 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
     30 allow bluetooth self:capability net_admin;
     31 allow bluetooth self:capability2 wake_alarm;
     32 
     33 # Allow clients to use a socket provided by the bluetooth app.
     34 # TODO:  See if this is still required under bluedroid.
     35 allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
     36 
     37 # tethering
     38 allow bluetooth self:tun_socket create_socket_perms;
     39 allow bluetooth efs_file:dir search;
     40 
     41 # proc access.
     42 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
     43 
     44 # Allow write access to bluetooth specific properties
     45 set_prop(bluetooth, bluetooth_prop)
     46 set_prop(bluetooth, pan_result_prop)
     47 set_prop(bluetooth, ctl_dhcp_pan_prop)
     48 
     49 allow bluetooth bluetooth_service:service_manager find;
     50 allow bluetooth mediaserver_service:service_manager find;
     51 allow bluetooth radio_service:service_manager find;
     52 allow bluetooth surfaceflinger_service:service_manager find;
     53 allow bluetooth app_api_service:service_manager find;
     54 allow bluetooth system_api_service:service_manager find;
     55 
     56 # Bluetooth Sim Access Profile Socket to the RIL
     57 unix_socket_connect(bluetooth, sap_uim, rild)
     58 
     59 # already open bugreport file descriptors may be shared with
     60 # the bluetooth process, from a file in
     61 # /data/data/com.android.shell/files/bugreports/bugreport-*.
     62 allow bluetooth shell_data_file:file read;
     63 
     64 ###
     65 ### Neverallow rules
     66 ###
     67 ### These are things that the bluetooth app should NEVER be able to do
     68 ###
     69 
     70 # Superuser capabilities.
     71 # bluetooth requires net_admin and wake_alarm.
     72 neverallow bluetooth self:capability ~net_admin;
     73 neverallow bluetooth self:capability2 ~wake_alarm;
     74